Can't reject forged sender/from address only when using AfterLogic Webmail

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Can't reject forged sender/from address only when using AfterLogic Webmail

Pau Peris
i'm running Postfix 2.11 and i would like to reject/prevent authenticated users from sending emails with forged sender/from address.

Right now i've implemented the following policy which works just fine:

smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf

smtpd_sender_restrictions =
...
reject_unlisted_sender,
reject_authenticated_sender_login_mismatch,
...

This generates the following output when an authenticated user tries to spoof its sending email address https://gist.github.com/sibok/efb72be811a51691913a.  

But don't know why when using AfterLogic Webmail to spoof/forge authenticated user's from/sender email address Postfix sends the email cause AfterLogic Webmail is only changing from address but using the correct login and sender address. Pretty strange, here is the output log https://gist.github.com/sibok/0a6334fa1e5bd3662fc9

In the last log, note the sender is [hidden email] and the recipient is [hidden email]. The spoofed sender is [hidden email]

One can see the spoofed address only appears in the DKIM line, these are the headers of the email recieved at Google Apps https://gist.github.com/sibok/a4aa6f96723628efa24e But when sending through Roundcube, RainLoop, Mozilla Thunderbird, etc. Postfix correctly rjeects the spoofed sender email as can be seen in the first provided gist.

Does anyone know how should/could i prevent it? Maybe a regexp header_check?

It looks like AfterLogic Webmail only rewrites the from header while using the correct from address for authenticating against Postfix. Maybe reject_authenticated_sender_login_mismatch is failing?

Thanks in advanced!
Reply | Threaded
Open this post in threaded view
|

Re: Can't reject forged sender/from address only when using AfterLogic Webmail

Viktor Dukhovni
On Mon, Mar 31, 2014 at 04:32:45PM +0200, Pau Peris wrote:

> I'm running Postfix 2.11 and I would like to reject/prevent authenticated
> users from sending emails with forged sender/from address.

Postfix only restricts forgery of the envelope sender address.
There are no features in Postfix to restrict senders to a particular
RFC 2822 From: address.

If you're operating a submission service where authentication is
required, and for some reason you absolutely must restrict the
"From" address, the best you can do is to configure a dedicated
cleanup(8) instance for the submission servvice that discards the
From header, in which case if I recall correctly, Postfix will
insert a new From header with the envelope sender email address
(and no full name).

    header_checks:
        /^from:/ IGNORE

This breaks legitimate use of "Resent-From:".  Both Apple's Mail.app
and mutt allow users to resend a message to another recipient in
a way that preserves the original "From:" header so they reply to
the author, (the address of the forwarding user is in "Resent-From")
rather than the person forwarding the mail.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Can't reject forged sender/from address only when using AfterLogic Webmail

Pau Peris
Hello Viktor,

thanks a lot for your time and the great explanation, but i think that's not what i'm looking for.

What i'm trying to accomplish is to make sure the from address used in the envelope is the same address used to login. I don't mind if they use a different reply to address or something similar.

I thought smtpd_sender_login_maps plus reject_unlisted_sender and reject_authenticated_sender_login_mismatch would do the trick but there's a case where login address is the same as the sender address - at least that's what it looks like after checking the mail.log - but once i get the email at Google Apps i notice the From header belongs to the forged address edited through the Identity edit form which AfterLogic Webmail provides.

Same Identity forms exists in different webmail solutions or email desktop clients like Roundcube or Mozilla Thunderbird but don't know why After logic operates in a different way.

What i would like is to reject the email when the from address has been edited.

I hope you can help me to get a clue here.

Thanks a lot

On Mon, Mar 31, 2014 at 4:56 PM, Viktor Dukhovni <[hidden email]> wrote:
>
> On Mon, Mar 31, 2014 at 04:32:45PM +0200, Pau Peris wrote:
>
> > I'm running Postfix 2.11 and I would like to reject/prevent authenticated
> > users from sending emails with forged sender/from address.
>
> Postfix only restricts forgery of the envelope sender address.
> There are no features in Postfix to restrict senders to a particular
> RFC 2822 From: address.
>
> If you're operating a submission service where authentication is
> required, and for some reason you absolutely must restrict the
> "From" address, the best you can do is to configure a dedicated
> cleanup(8) instance for the submission servvice that discards the
> From header, in which case if I recall correctly, Postfix will
> insert a new From header with the envelope sender email address
> (and no full name).
>
>     header_checks:
>         /^from:/ IGNORE
>
> This breaks legitimate use of "Resent-From:".  Both Apple's Mail.app
> and mutt allow users to resend a message to another recipient in
> a way that preserves the original "From:" header so they reply to
> the author, (the address of the forwarding user is in "Resent-From")
> rather than the person forwarding the mail.
>
> --
>         Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Can't reject forged sender/from address only when using AfterLogic Webmail

Viktor Dukhovni
On Mon, Mar 31, 2014 at 05:52:33PM +0200, Pau Peris wrote:

> thanks a lot for your time and the great explanation, but i think that's
> not what i'm looking for.
>
> What i'm trying to accomplish is to make sure the from address used in the
> envelope is the same address used to login. I don't mind if they use a
> different reply to address or something similar.

Well, your previous post sure seemed to imply that you wanted to restrict
the From: address in the message header.  Do you know what the term
"envelope sender address" means in SMTP?  I think not.

> I thought smtpd_sender_login_maps plus reject_unlisted_sender and
> reject_authenticated_sender_login_mismatch would do the trick but there's a
> case where login address is the same as the sender address - at least
> that's what it looks like after checking the mail.log - but once i get the
> email at Google Apps i notice the From header belongs to the forged address
> edited through the Identity edit form which AfterLogic Webmail provides.

There you go again, talking about the header From.  MAKE UP YOUR MIND!

> What i would like is to reject the email when the from address has been
> edited.
>
> I hope you can help me to get a clue here.

First understand that the SMTP envelope sender address is NOT the
same thing as the message header From: address.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Can't reject forged sender/from address only when using AfterLogic Webmail

Pau Peris
Hello Viktor,

i really do not know what to answer to you about your last email.

Anyway, as i understand envelope sender is where a computer are going to respond an email, if needed, and the from header is where people reply emails. If i'm wrong just an explanation will suffice.

That said, i'm still wondering - and i do not know if anyone here is able to answer - why Mozilla Thunderbird or Roundcube get rejected when Editing the From address - at least it looks to me the From address and not the envelope sender - but doing through AfterLogic Webmail the Postfix mail.log show a different behavior/flow. I think that could help me to understand what's going on here, in case you know it.

Last, i'm just a Web Software Engineer dealing with some Postfix requirements i try to solve/implement as fast as i can. That's why i'm here, looking for "a little help from a friend".

Thanks in advanced,


On Mon, Mar 31, 2014 at 6:01 PM, Viktor Dukhovni <[hidden email]> wrote:
>
> On Mon, Mar 31, 2014 at 05:52:33PM +0200, Pau Peris wrote:
>
> > thanks a lot for your time and the great explanation, but i think that's
> > not what i'm looking for.
> >
> > What i'm trying to accomplish is to make sure the from address used in the
> > envelope is the same address used to login. I don't mind if they use a
> > different reply to address or something similar.
>
> Well, your previous post sure seemed to imply that you wanted to restrict
> the From: address in the message header.  Do you know what the term
> "envelope sender address" means in SMTP?  I think not.
>
> > I thought smtpd_sender_login_maps plus reject_unlisted_sender and
> > reject_authenticated_sender_login_mismatch would do the trick but there's a
> > case where login address is the same as the sender address - at least
> > that's what it looks like after checking the mail.log - but once i get the
> > email at Google Apps i notice the From header belongs to the forged address
> > edited through the Identity edit form which AfterLogic Webmail provides.
>
> There you go again, talking about the header From.  MAKE UP YOUR MIND!
>
> > What i would like is to reject the email when the from address has been
> > edited.
> >
> > I hope you can help me to get a clue here.
>
> First understand that the SMTP envelope sender address is NOT the
> same thing as the message header From: address.
>
> --
>         Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Can't reject forged sender/from address only when using AfterLogic Webmail

lists@rhsoft.net

Am 31.03.2014 19:26, schrieb Pau Peris:
> i really do not know what to answer to you about your last email.
>
> Anyway, as i understand envelope sender is where a computer are going to respond an email, if needed, and the from
> header is where people reply emails. If i'm wrong just an explanation will suffice.
>
> That said, i'm still wondering - and i do not know if anyone here is able to answer - why Mozilla Thunderbird or
> Roundcube get rejected when Editing the From address - at least it looks to me the From address and not the
> envelope sender

there is no "looks to me"

From: Pau Peris <[hidden email]>
Sender: [hidden email]
Return-Path: [hidden email]

above the headers of your message, the "Return-Path" is the envelope

> On Mon, Mar 31, 2014 at 6:01 PM, Viktor Dukhovni <[hidden email] <mailto:[hidden email]>>
> wrote:
>>
>> On Mon, Mar 31, 2014 at 05:52:33PM +0200, Pau Peris wrote:
>>
>> > thanks a lot for your time and the great explanation, but i think that's
>> > not what i'm looking for.
>> >
>> > What i'm trying to accomplish is to make sure the from address used in the
>> > envelope is the same address used to login. I don't mind if they use a
>> > different reply to address or something similar.
>>
>> Well, your previous post sure seemed to imply that you wanted to restrict
>> the From: address in the message header.  Do you know what the term
>> "envelope sender address" means in SMTP?  I think not.
>>
>> > I thought smtpd_sender_login_maps plus reject_unlisted_sender and
>> > reject_authenticated_sender_login_mismatch would do the trick but there's a
>> > case where login address is the same as the sender address - at least
>> > that's what it looks like after checking the mail.log - but once i get the
>> > email at Google Apps i notice the From header belongs to the forged address
>> > edited through the Identity edit form which AfterLogic Webmail provides.
>>
>> There you go again, talking about the header From.  MAKE UP YOUR MIND!
>>
>> > What i would like is to reject the email when the from address has been
>> > edited.
>> >
>> > I hope you can help me to get a clue here.
>>
>> First understand that the SMTP envelope sender address is NOT the
>> same thing as the message header From: address
Reply | Threaded
Open this post in threaded view
|

Re: Can't reject forged sender/from address only when using AfterLogic Webmail

Pau Peris

I'm forwarding the email to the list which was sent to rhsoft by mistake.

Thanks.

Sent from my Android mobile, excuse the brevity.
On Apr 1, 2014 12:42 AM, "[hidden email]" <[hidden email]> wrote:
>
> REPLY TO THE LIST
>
> Am 01.04.2014 00:16, schrieb Pau Peris:
> > Thanks for your reply.
> >
> > I'm not native english speaker so, although HTML and top posting is not wellcome, i hope grammatical errors are not
> > taken that hard.
> >
> > Jokes a part, I really appreciate your clarification about the return-path and envelope sender, although i'm not
> > able to understand how it is related to the issue exposed. Maybe someone can explain it a little bit.
> >
> > I think the issue i'm suffering is clear. Email clients - desktop and web app ones  - provide user Identity edition
> > so one can change the sender/from address and not the envelope one. Am i right here?
> >
> > Following rhsoft tips i managed to reject what i underatand is called email sender forgering through the config
> > posted on my first email of this thread. But, as I underatand, there's still a case which I do not understand at
> > all how it is working and I think it is not related to envelope sender - check logs at gist URLs peovided af first
> > email - where Postfix is not rejecting emails which from address shown at headers do not match login nor auth
> > sender maps.
> >
> > I hope someone can explain what's happening here.
> >
> > Thank you so much.
> > --
> > Sent from my Android mobile, excuse the brevity.
> >
> > On Mar 31, 2014 10:44 PM, "[hidden email] <mailto:[hidden email]>" <[hidden email] <mailto:[hidden email]>>
> > wrote:
> >>
> >>
> >> Am 31.03.2014 19:26, schrieb Pau Peris:
> >> > i really do not know what to answer to you about your last email.
> >> >
> >> > Anyway, as i understand envelope sender is where a computer are going to respond an email, if needed, and the from
> >> > header is where people reply emails. If i'm wrong just an explanation will suffice.
> >> >
> >> > That said, i'm still wondering - and i do not know if anyone here is able to answer - why Mozilla Thunderbird or
> >> > Roundcube get rejected when Editing the From address - at least it looks to me the From address and not the
> >> > envelope sender
> >>
> >> there is no "looks to me"
> >>
> >> From: Pau Peris <[hidden email] <mailto:[hidden email]>>
> >> Sender: [hidden email] <mailto:[hidden email]>
> >> Return-Path: [hidden email] <mailto:[hidden email]>
> >>
> >> above the headers of your message, the "Return-Path" is the envelope
> >>
> >> > On Mon, Mar 31, 2014 at 6:01 PM, Viktor Dukhovni <[hidden email]
> > <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>>>
> >> > wrote:
> >> >>
> >> >> On Mon, Mar 31, 2014 at 05:52:33PM +0200, Pau Peris wrote:
> >> >>
> >> >> > thanks a lot for your time and the great explanation, but i think that's
> >> >> > not what i'm looking for.
> >> >> >
> >> >> > What i'm trying to accomplish is to make sure the from address used in the
> >> >> > envelope is the same address used to login. I don't mind if they use a
> >> >> > different reply to address or something similar.
> >> >>
> >> >> Well, your previous post sure seemed to imply that you wanted to restrict
> >> >> the From: address in the message header.  Do you know what the term
> >> >> "envelope sender address" means in SMTP?  I think not.
> >> >>
> >> >> > I thought smtpd_sender_login_maps plus reject_unlisted_sender and
> >> >> > reject_authenticated_sender_login_mismatch would do the trick but there's a
> >> >> > case where login address is the same as the sender address - at least
> >> >> > that's what it looks like after checking the mail.log - but once i get the
> >> >> > email at Google Apps i notice the From header belongs to the forged address
> >> >> > edited through the Identity edit form which AfterLogic Webmail provides.
> >> >>
> >> >> There you go again, talking about the header From.  MAKE UP YOUR MIND!
> >> >>
> >> >> > What i would like is to reject the email when the from address has been
> >> >> > edited.
> >> >> >
> >> >> > I hope you can help me to get a clue here.
> >> >>
> >> >> First understand that the SMTP envelope sender address is NOT the
> >> >> same thing as the message header From: address

Reply | Threaded
Open this post in threaded view
|

Re: Can't reject forged sender/from address only when using AfterLogic Webmail

Pau Peris
Not meant to offend, but Viktor, i'm still waiting for you knowledge to come around. And no, i'm not even asking you for a solution which obviously you don't know, but at least to come here and ask for excuses for you unfortunate  behavior.

Probably, 20 hours is enough time to read an understand through my initial question, your good friend return-path aka envelope sender is not related to the issue i exposed.

Cheers,

On Tue, Apr 1, 2014 at 1:06 AM, Pau Peris <[hidden email]> wrote:
>
> I'm forwarding the email to the list which was sent to rhsoft by mistake.
>
> Thanks.
>
> Sent from my Android mobile, excuse the brevity.
> On Apr 1, 2014 12:42 AM, "[hidden email]" <[hidden email]> wrote:
> >
> > REPLY TO THE LIST
> >
> > Am 01.04.2014 00:16, schrieb Pau Peris:
> > > Thanks for your reply.
> > >
> > > I'm not native english speaker so, although HTML and top posting is not wellcome, i hope grammatical errors are not
> > > taken that hard.
> > >
> > > Jokes a part, I really appreciate your clarification about the return-path and envelope sender, although i'm not
> > > able to understand how it is related to the issue exposed. Maybe someone can explain it a little bit.
> > >
> > > I think the issue i'm suffering is clear. Email clients - desktop and web app ones  - provide user Identity edition
> > > so one can change the sender/from address and not the envelope one. Am i right here?
> > >
> > > Following rhsoft tips i managed to reject what i underatand is called email sender forgering through the config
> > > posted on my first email of this thread. But, as I underatand, there's still a case which I do not understand at
> > > all how it is working and I think it is not related to envelope sender - check logs at gist URLs peovided af first
> > > email - where Postfix is not rejecting emails which from address shown at headers do not match login nor auth
> > > sender maps.
> > >
> > > I hope someone can explain what's happening here.
> > >
> > > Thank you so much.
> > > --
> > > Sent from my Android mobile, excuse the brevity.
> > >
> > > On Mar 31, 2014 10:44 PM, "[hidden email] <mailto:[hidden email]>" <[hidden email] <mailto:[hidden email]>>
> > > wrote:
> > >>
> > >>
> > >> Am <a href="tel:31.03.2014%2019" value="+13103201419" target="_blank">31.03.2014 19:26, schrieb Pau Peris:
> > >> > i really do not know what to answer to you about your last email.
> > >> >
> > >> > Anyway, as i understand envelope sender is where a computer are going to respond an email, if needed, and the from
> > >> > header is where people reply emails. If i'm wrong just an explanation will suffice.
> > >> >
> > >> > That said, i'm still wondering - and i do not know if anyone here is able to answer - why Mozilla Thunderbird or
> > >> > Roundcube get rejected when Editing the From address - at least it looks to me the From address and not the
> > >> > envelope sender
> > >>
> > >> there is no "looks to me"
> > >>
> > >> From: Pau Peris <[hidden email] <mailto:[hidden email]>>
> > >> Sender: [hidden email] <mailto:[hidden email]>
> > >> Return-Path: [hidden email] <mailto:[hidden email]>
> > >>
> > >> above the headers of your message, the "Return-Path" is the envelope
> > >>
> > >> > On Mon, Mar 31, 2014 at 6:01 PM, Viktor Dukhovni <[hidden email]
> > > <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>>>
> > >> > wrote:
> > >> >>
> > >> >> On Mon, Mar 31, 2014 at 05:52:33PM +0200, Pau Peris wrote:
> > >> >>
> > >> >> > thanks a lot for your time and the great explanation, but i think that's
> > >> >> > not what i'm looking for.
> > >> >> >
> > >> >> > What i'm trying to accomplish is to make sure the from address used in the
> > >> >> > envelope is the same address used to login. I don't mind if they use a
> > >> >> > different reply to address or something similar.
> > >> >>
> > >> >> Well, your previous post sure seemed to imply that you wanted to restrict
> > >> >> the From: address in the message header.  Do you know what the term
> > >> >> "envelope sender address" means in SMTP?  I think not.
> > >> >>
> > >> >> > I thought smtpd_sender_login_maps plus reject_unlisted_sender and
> > >> >> > reject_authenticated_sender_login_mismatch would do the trick but there's a
> > >> >> > case where login address is the same as the sender address - at least
> > >> >> > that's what it looks like after checking the mail.log - but once i get the
> > >> >> > email at Google Apps i notice the From header belongs to the forged address
> > >> >> > edited through the Identity edit form which AfterLogic Webmail provides.
> > >> >>
> > >> >> There you go again, talking about the header From.  MAKE UP YOUR MIND!
> > >> >>
> > >> >> > What i would like is to reject the email when the from address has been
> > >> >> > edited.
> > >> >> >
> > >> >> > I hope you can help me to get a clue here.
> > >> >>
> > >> >> First understand that the SMTP envelope sender address is NOT the
> > >> >> same thing as the message header From: address
Reply | Threaded
Open this post in threaded view
|

Re: Can't reject forged sender/from address only when using AfterLogic Webmail

Wietse Venema
Pau Peris:
> Not meant to offend, but Viktor, i'm still waiting for you knowledge to
> come around. And no, i'm not even asking you for a solution which obviously
> you don't know, but at least to come here and ask for excuses for you
> unfortunate  behavior.
>
> Probably, 20 hours is enough time to read an understand through my initial
> question, your good friend return-path aka envelope sender is not related
> to the issue i exposed.

I must take exception. Your description makes no sense to me'and I
wrote Postfix. You use words that appear to be email related but
it is all gibberish.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Can't reject forged sender/from address only when using AfterLogic Webmail

Daniele Nicolodi
In reply to this post by Pau Peris
On 01/04/2014 12:41, Pau Peris wrote:
> Not meant to offend, but Viktor, i'm still waiting for you knowledge to
> come around. And no, i'm not even asking you for a solution which
> obviously you don't know, but at least to come here and ask for excuses
> for you unfortunate  behavior.

This is the most fun think I've read in a very long while!

Cheers,
Daniele

Reply | Threaded
Open this post in threaded view
|

Re: Can't reject forged sender/from address only when using AfterLogic Webmail

Pau Peris
Wietse, exception? Don't fool man. Everyone here knows there is no exception on being at the "friend" side while trying to kick the new kid. Come on, let's make some sense. At your age you should know no one is going to belief this is an ...

Wietse, just one more thing. Don't you think at your age you should be able, at least, to construct a sentence with some reasoning and explaining your point of view instead of trying to sell smokie words? Come on, explain the gibberish. I'm sure you can.

Daniele, yeah, i'm still laughing too. Everyone here talking but no one giving reasons about their words. Hilarious joke!


On Tue, Apr 1, 2014 at 2:18 PM, Daniele Nicolodi <[hidden email]> wrote:
>
> On 01/04/2014 12:41, Pau Peris wrote:
> > Not meant to offend, but Viktor, i'm still waiting for you knowledge to
> > come around. And no, i'm not even asking you for a solution which
> > obviously you don't know, but at least to come here and ask for excuses
> > for you unfortunate  behavior.
>
> This is the most fun think I've read in a very long while!
>
> Cheers,
> Daniele
Reply | Threaded
Open this post in threaded view
|

Re: Can't reject forged sender/from address only when using AfterLogic Webmail

David Figuera-2
In reply to this post by Daniele Nicolodi


>This is the most fun think I've read in a very long while!

I agree.
Pau, if you want to mail me off-list and discuss your postfix issue (in spanish), feel free to do it.

But if you read this thread carefully, you'll realize that these folks have explained to you that postfix can reject sender/login mismatch on the _envelope_ sender address, not in the "From:" header.
Reply | Threaded
Open this post in threaded view
|

Re: Can't reject forged sender/from address only when using AfterLogic Webmail

Viktor Dukhovni
In reply to this post by Pau Peris
On Tue, Apr 01, 2014 at 02:32:07PM +0200, Pau Peris wrote:

> Come on, let's make some sense.

What makes sense to me is to terminate your membership on this
list, which I've done.  If at some point you decide to stop posting
public tantrums, you can come back, but if so, you must promise to
keep your attitude in check.  Good luck with your future endeavours.

--
        Viktor.