Authenticating 'From' header to match envelope

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Authenticating 'From' header to match envelope

Johannes Bauer
Hi list,

I'm having an issue with my Postfix configuration: Currently I've it set
up so that one authentication SASL login (e.g., [hidden email]) supports
multiple virtual email addresses (e.g., [hidden email] but also
[hidden email], [hidden email]).

Once authenticated with [hidden email], the envelope sender ("MAIL FROM")
is restricted to only the permissible variants.

However, as I've now painfully found out, when in Thunderbird someone
uses the "Custom From Address" feature, it doesn't change the envelope
sender, but only the actual "From" header field. This means, I have the
following situation:

Auth: [hidden email]
Envelope from: [hidden email]
Header 'From': [hidden email]

One of my customers used a gmail address in the header "From", sent an
email to @hotmail.com and now my mailserver is permablocked at Microsoft
for bad reputation.

How can I ensure in the future that the same checks are applied to the
Header "From" field that are also applied to the evelope "From" field?

Thanks,
Johannes
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating 'From' header to match envelope

Wietse Venema
Johannes Bauer:
> How can I ensure in the future that the same checks are applied to the
> Header "From" field that are also applied to the evelope "From" field?

Use an external content filter. BTW this email will be delivered
with Envelope from = [hidden email], and from
Header 'From' = my email address. Just so you know.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating 'From' header to match envelope

Ralph Seichter
In reply to this post by Johannes Bauer
On 02.10.2018 12:48, Johannes Bauer wrote:

> Once authenticated with [hidden email], the envelope sender ("MAIL
> FROM") is restricted to only the permissible variants. [...]
>
> How can I ensure in the future that the same checks are applied to the
> Header "From" field that are also applied to the evelope "From" field?

Educating the customers would be my first step. Then, you could use
milter-regex (http://www.benzedrine.ch/milter-regex.html) or similar in
your authenticated submission process:

  # /etc/submission-milter-regex.conf
  reject "No impersonations please"
  envfrom /@gmail.com>/i

  reject "Missing 'From' header or domain mismatch"
  not ( envfrom /@foo.com>/i and header /^From$/i /@foo.com/i )

I cannot test this right now, but it should work. Note that users can
evade check #2 by using headers like

  From: "[hidden email]" <[hidden email]>

but that would be malice, and reason to kick your customer's backside.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating 'From' header to match envelope

Stefan Bauer-2
In reply to this post by Johannes Bauer
Johannes,

did you double check if your planned setup will not break other things?

Have similar needs but am not yet deep enough into mail to see possible pitfalls.

Stefan

Am Dienstag, 2. Oktober 2018 schrieb Johannes Bauer :

> Hi list,
>
> I'm having an issue with my Postfix configuration: Currently I've it set
> up so that one authentication SASL login (e.g., [hidden email]) supports
> multiple virtual email addresses (e.g., [hidden email] but also
> [hidden email], [hidden email]).
>
> Once authenticated with [hidden email], the envelope sender ("MAIL FROM")
> is restricted to only the permissible variants.
>
> However, as I've now painfully found out, when in Thunderbird someone
> uses the "Custom From Address" feature, it doesn't change the envelope
> sender, but only the actual "From" header field. This means, I have the
> following situation:
>
> Auth: [hidden email]
> Envelope from: [hidden email]
> Header 'From': [hidden email]
>
> One of my customers used a gmail address in the header "From", sent an
> email to @hotmail.com and now my mailserver is permablocked at Microsoft
> for bad reputation.
>
> How can I ensure in the future that the same checks are applied to the
> Header "From" field that are also applied to the evelope "From" field?
>
> Thanks,
> Johannes
>
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating 'From' header to match envelope

Tobi
> when in Thunderbird someone uses the "Custom From Address" feature, it
> doesn't change the envelope sender, but only the actual "From" header
> field

are you sure? I just tested with my TB (60.0) under Linux (Fedora 28)
and found that both (envelope from and from header) are changed to the
value I defined in "custom from address"

Btw: at least the Thunderbird question should go to a thunderbird
mailing list. Not really a postfix issue here :-)

Cheers

tobi

Am 03.10.18 um 17:33 schrieb Stefan Bauer:

> Johannes,
>
> did you double check if your planned setup will not break other things?
>
> Have similar needs but am not yet deep enough into mail to see possible
> pitfalls.
>
> Stefan
>
> Am Dienstag, 2. Oktober 2018 schrieb Johannes Bauer :
>> Hi list,
>>
>> I'm having an issue with my Postfix configuration: Currently I've it set
>> up so that one authentication SASL login (e.g., [hidden email]
> <mailto:[hidden email]>) supports
>> multiple virtual email addresses (e.g., [hidden email]
> <mailto:[hidden email]> but also
>> [hidden email] <mailto:[hidden email]>, [hidden email] <mailto:[hidden email]>).
>>
>> Once authenticated with [hidden email] <mailto:[hidden email]>, the
> envelope sender ("MAIL FROM")
>> is restricted to only the permissible variants.
>>
>> However, as I've now painfully found out, when in Thunderbird someone
>> uses the "Custom From Address" feature, it doesn't change the envelope
>> sender, but only the actual "From" header field. This means, I have the
>> following situation:
>>
>> Auth: [hidden email] <mailto:[hidden email]>
>> Envelope from: [hidden email] <mailto:[hidden email]>
>> Header 'From': [hidden email] <mailto:[hidden email]>
>>
>> One of my customers used a gmail address in the header "From", sent an
>> email to @hotmail.com <http://hotmail.com> and now my mailserver is
> permablocked at Microsoft
>> for bad reputation.
>>
>> How can I ensure in the future that the same checks are applied to the
>> Header "From" field that are also applied to the evelope "From" field?
>>
>> Thanks,
>> Johannes
>>