Does postfix reject spoofed senders?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Does postfix reject spoofed senders?

Lorenzo Petracchi
Is there a reliable way to reject incoming mails with a spoofed e-mail
address?

Lorenzo
Reply | Threaded
Open this post in threaded view
|

Re: Does postfix reject spoofed senders?

Dominic Raferd
On 30 March 2018 at 06:51, Lorenzo Petracchi <[hidden email]> wrote:
> Is there a reliable way to reject incoming mails with a spoofed e-mail
> address?

Please clarify what you mean.
Reply | Threaded
Open this post in threaded view
|

Re: Does postfix reject spoofed senders?

Lorenzo Petracchi
Il Venerdì 30/03/2018 08:05 Dominic Raferd ha scritto:

> On 30 March 2018 at 06:51, Lorenzo Petracchi
> <[hidden email]> wrote:
>
>> Is there a reliable way to reject incoming mails with a spoofed e-mail
>> address?
>
> Please clarify what you mean.

In the last few weeks our e-mail users are receiving many messages with
their own address as From header.

I understand that there are many legitimate reasons why the From header
is free but I would like to understand if it is possible and if it makes
sense to reject incoming mail that contains addresses in the form
[hidden email] in the header field when the sender is not an our SASL
authenticated SMTP sender or when they do but does not own that address.

    Lorenzo
Reply | Threaded
Open this post in threaded view
|

Re: Does postfix reject spoofed senders?

Sean Greenslade
On Fri, Mar 30, 2018 at 08:38:34AM +0200, Lorenzo Petracchi wrote:

> In the last few weeks our e-mail users are receiving many messages with
> their own address as From header.
>
> I understand that there are many legitimate reasons why the From header is
> free but I would like to understand if it is possible and if it makes sense
> to reject incoming mail that contains addresses in the form
> [hidden email] in the header field when the sender is not an our SASL
> authenticated SMTP sender or when they do but does not own that address.
>
>    Lorenzo

This is basically what SPF is good for. I set up my mail server to
reject SPF failures on domains that I control, since I know that my
servers are the only ones authorized to send mail from those domains. I
used to get quite a bit of From: [hidden email] spam, and SPF
enforcement put a quick end to that.

--Sean

Reply | Threaded
Open this post in threaded view
|

Re: Does postfix reject spoofed senders?

Bastian Blank-3
On Fri, Mar 30, 2018 at 12:03:37AM -0700, Sean Greenslade wrote:

> On Fri, Mar 30, 2018 at 08:38:34AM +0200, Lorenzo Petracchi wrote:
> > In the last few weeks our e-mail users are receiving many messages with
> > their own address as From header.
> >
> > I understand that there are many legitimate reasons why the From header is
> > free but I would like to understand if it is possible and if it makes sense
> > to reject incoming mail that contains addresses in the form
> > [hidden email] in the header field when the sender is not an our SASL
> > authenticated SMTP sender or when they do but does not own that address.
> >
> >    Lorenzo
>
> This is basically what SPF is good for.

No, it is not.  SPF does not care about the From header, only the
envelope sender.

DMARC in the other hand works on the From header, with a lot of
collateral damage.

Bastian

--
I object to intellect without discipline;  I object to power without
constructive purpose.
                -- Spock, "The Squire of Gothos", stardate 2124.5
Reply | Threaded
Open this post in threaded view
|

Re: Does postfix reject spoofed senders?

Dominic Raferd
On 30 March 2018 at 08:09, Bastian Blank
<bastian+postfix-users=[hidden email]> wrote:

> On Fri, Mar 30, 2018 at 12:03:37AM -0700, Sean Greenslade wrote:
>> On Fri, Mar 30, 2018 at 08:38:34AM +0200, Lorenzo Petracchi wrote:
>> > In the last few weeks our e-mail users are receiving many messages with
>> > their own address as From header.
>> >
>> > I understand that there are many legitimate reasons why the From header is
>> > free but I would like to understand if it is possible and if it makes sense
>> > to reject incoming mail that contains addresses in the form
>> > [hidden email] in the header field when the sender is not an our SASL
>> > authenticated SMTP sender or when they do but does not own that address.
>> >
>> >    Lorenzo
>>
>> This is basically what SPF is good for.
>
> No, it is not.  SPF does not care about the From header, only the
> envelope sender.
>
> DMARC in the other hand works on the From header, with a lot of
> collateral damage.

I agree SPF blocks based on the envelope sender not the From: header.
So although it might stop problems it is not guaranteed to do so. You
can use SPF/DKIM/DMARC for a more comprehensive solution which will
also enable others to block fake emails from domains under your
control::
1. ensure that all emails by genuine senders using your domain are
passing either SPF or DKIM checks (preferably DKIM, because SPF is
broken by relaying)
2. set up DMARC on your domain and implement opendmarc milter, then -
after testing with p=none - set p=reject, so that your mailservers and
others can block emails that have From: header email address with your
domain but do not pass SPF or DKIM with alignment.

You should also implement a header check to block From: headers where
the text (not the address) is spoofed to look like your domain. (BTW,
before I implemented protection against this we had a real case where
accounting staff were fooled into setting up a payment by this type of
trick):

/etc/postfix/main.cf:
header_checks = pcre:/etc/postfix/check_header.pcre

/etc/postfix/check_header.pcre:
if /^From:/
#   emails with From: @our_domains are not blocked here
#   - fake ones should be blocked by opendmarc milter
/((mydomain\.it|mydomain2\.tld)>?$/ DUNNO
# try to block emails that pretend to be from us by
# e.g. From: [hidden email] <[hidden email]>
/mydomain\.it </ REJECT
# e.g. From: Lorenzo Petracchi <[hidden email]>
/Lorenzo Petracchi/i REJECT
endif
Reply | Threaded
Open this post in threaded view
|

Re: Does postfix reject spoofed senders?

Benny Pedersen-2
In reply to this post by Lorenzo Petracchi
Lorenzo Petracchi skrev den 2018-03-30 07:51:
> Is there a reliable way to reject incoming mails with a spoofed e-mail
> address?

yes

i do check_sender_access from recipient maps, and aliases forwards, poor
manns spf :=)

if your domains have spf, reject on fails

do not try reject from: header without dkim

if dkim fails it could still be wanted emails, since so many maillists
breaks dkim :(

lastly could you define spoofed more in detail ?