Reliably identify email forwarded from inside to outside

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Reliably identify email forwarded from inside to outside

Jozsef Kadlecsik
Hi,

What would be the best way to identify email which is forwarded to
external addresses by .forward, procmail or sieve rules?

We have control over the mail gateways which handle all incoming-outgoing
traffic, but no real access to the internal servers where the forward
rules may be entered.

Add a specific header (e.g. X-Delivered-To) to the incoming email (it
could be deleted, but let's ignore the possibility) and check it in the
ougoing ones? What are the possibilities for false positives and
negatives? Checking the Received lines looks harder and not better
approach.

Best regards,
Jozsef
-
E-mail  : [hidden email], [hidden email]
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
Reply | Threaded
Open this post in threaded view
|

Re: Reliably identify email forwarded from inside to outside

Aban Dokht
Jozsef Kadlecsik wrote:
> Hi,
>
> What would be the best way to identify email which is forwarded to
> external addresses by .forward, procmail or sieve rules?

As you know the maildomains you are accepting from external, just tag
any mail from internal to external originating from diffent
Envelope-From/Header-From as "forwarded".

> Add a specific header (e.g. X-Delivered-To) to the incoming email (it
> could be deleted, but let's ignore the possibility) and check it in the
> ougoing ones? What are the possibilities for false positives and
> negatives? Checking the Received lines looks harder and not better
> approach.

If you have users sending with diffenret domains than you actually use,
they may also taggeg as forwarded.

Regards
Aban

--
  Aban Dokht                                   [hidden email]
------------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: Reliably identify email forwarded from inside to outside

Wietse Venema
In reply to this post by Jozsef Kadlecsik
Jozsef Kadlecsik:

> Hi,
>
> What would be the best way to identify email which is forwarded to
> external addresses by .forward, procmail or sieve rules?
>
> We have control over the mail gateways which handle all incoming-outgoing
> traffic, but no real access to the internal servers where the forward
> rules may be entered.
>
> Add a specific header (e.g. X-Delivered-To) to the incoming email (it
> could be deleted, but let's ignore the possibility) and check it in the
> ougoing ones? What are the possibilities for false positives and
> negatives? Checking the Received lines looks harder and not better
> approach.

Look at the top-level Received: header (the one that is added
by Postfix on your gateway). That is deinitive evidence that
mail came from inside. Determining if it was forwarded requires
some heuristics, because all the other content might be altered.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Reliably identify email forwarded from inside to outside

Jozsef Kadlecsik
On Wed, 2 May 2018, Wietse Venema wrote:

> > What would be the best way to identify email which is forwarded to
> > external addresses by .forward, procmail or sieve rules?
> >
> > We have control over the mail gateways which handle all incoming-outgoing
> > traffic, but no real access to the internal servers where the forward
> > rules may be entered.
> >
> > Add a specific header (e.g. X-Delivered-To) to the incoming email (it
> > could be deleted, but let's ignore the possibility) and check it in the
> > ougoing ones? What are the possibilities for false positives and
> > negatives? Checking the Received lines looks harder and not better
> > approach.
>
> Look at the top-level Received: header (the one that is added by Postfix
> on your gateway). That is deinitive evidence that mail came from inside.
> Determining if it was forwarded requires some heuristics, because all
> the other content might be altered.

This is what I suspected. DKIM signing the Received: lines does not help
either, because the number of external Received: lines changes and I
definitely don't want to delete those lines. Hm, the extra specific header
(X-Delivered-To) however could be signed and any tampering could then be
detected.

Best regards,
Jozsef
-
E-mail  : [hidden email], [hidden email]
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary