On 15/12/2020 12:36, Ansgar Wiechers wrote: > On 2020-12-15 Jeff Abrahamson wrote: >> I received an obvious fishing mail today from ad...@p27.eu (my own >> domain). I appear not to be running an open relay [...] >> >> Am I reading this wrong? Why was that able to happen? I would have >> expected a reject because something that is not my domain claimed to be >> sending mail from my domain without authentication. > Unless I'm misunderstanding something, the mail is being sent to a > (presumably) valid recipient on your server: > > X-Original-To: j...@p27.eu > > so your mail server is going to accept and deliver it.
Yes, you're right. I was confusing sending _through_ to just spoofing _from_. They are, of course, quite different. Thanks. > Spoofing the envelope from address (Return-Path: <ad...@p27.eu>) is > actually valid (per the SMTP protocol) and a common occurrence for mail > sent by bad actors. Is prohibiting spoofing envelope from recommended? I'm not clear on what, if anything, it would break. I note that this doesn't happen to me often. -- Jeff Abrahamson +33 6 24 40 01 57 +44 7920 594 255 http://p27.eu/jeff/ http://transport-nantes.com/