not an open relay, but something happened
Locked
not an open relay, but something happened
 
|
I received an obvious fishing mail today from [hidden email] (my own domain). I appear not to be running an open relay (say the sorts of websites that offer to check these things), and yet this happened:
The received mail had headers that looked like this:
Am I reading this wrong? Why was that able to happen? I would
have expected a reject because something that is not my domain
claimed to be sending mail from my domain without authentication. -- Jeff Abrahamson +33 6 24 40 01 57 +44 7920 594 255 http://p27.eu/jeff/ http://transport-nantes.com/ |
Re: not an open relay, but something happened
|
|
On 2020-12-15 Jeff Abrahamson wrote:
> I received an obvious fishing mail today from [hidden email] (my own > domain). I appear not to be running an open relay (say the sorts of > websites that offer to check these things), and yet this happened: > > Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: warning: hostname > hosted-by.rootlayer.net does not resolve to address 185.222.57.81 > Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: connect from > unknown[185.222.57.81] > Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: 8AFC8FF74D: > client=unknown[185.222.57.81] > Dec 15 11:58:03 nantes-1 postfix/cleanup[31161]: 8AFC8FF74D: > message-id=<[hidden email]> > Dec 15 11:58:03 nantes-1 opendkim[1637]: 8AFC8FF74D: [185.222.57.81] > [185.222.57.81] not internal > Dec 15 11:58:03 nantes-1 opendkim[1637]: 8AFC8FF74D: not authenticated > Dec 15 11:58:03 nantes-1 opendkim[1637]: 8AFC8FF74D: no signature data > Dec 15 11:58:03 nantes-1 postfix/qmgr[17671]: 8AFC8FF74D: > from=<[hidden email]>, size=2422, nrcpt=1 (queue active) > Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: disconnect from > unknown[185.222.57.81] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 > Dec 15 11:58:03 nantes-1 dovecot: lda(jeff): > msgid=<[hidden email]>: saved mail to INBOX > Dec 15 11:58:03 nantes-1 postfix/local[31162]: 8AFC8FF74D: > to=<[hidden email]>, relay=local, delay=0.12, delays=0.08/0.01/0/0.03, > dsn=2.0.0, status=sent (delivered to command: > /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}") > Dec 15 11:58:03 nantes-1 postfix/qmgr[17671]: 8AFC8FF74D: removed > > The received mail had headers that looked like this: > > Return-Path: <[hidden email]> > X-Original-To: [hidden email] > Delivered-To: [hidden email] > Received: from p27.eu (unknown [185.222.57.81]) > by nantes-1.p27.eu (Postfix) with ESMTP id 8AFC8FF74D > for <[hidden email]>; Tue, 15 Dec 2020 11:58:03 +0100 (CET) > From: p27.eu <[hidden email]> > To: [hidden email] > Subject: =?UTF-8?B?TGEgc2Vzc2lvbiBhIGV4cGlyw6kg?=p27.eu > Date: 15 Dec 2020 02:58:03 -0800 > Message-ID: <[hidden email]> > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----=_NextPart_000_0012_893BC42D.902C898B" > > Am I reading this wrong? Why was that able to happen? I would have > expected a reject because something that is not my domain claimed to be > sending mail from my domain without authentication. Unless I'm misunderstanding something, the mail is being sent to a (presumably) valid recipient on your server: X-Original-To: [hidden email] so your mail server is going to accept and deliver it. Spoofing the envelope from address (Return-Path: <[hidden email]>) is actually valid (per the SMTP protocol) and a common occurrence for mail sent by bad actors. You need to explicitly disallow sending from your own domain(s) for inbound mail in your Postfix config if you don't want people to be able to send mail with an envelope address of, say [hidden email]. Add this check to the restrictions in main.cf: check_sender_access hash:/etc/postfix/sender_from_my_domains and put your domains in /etc/postfix/sender_from_my_domains: p27.eu REJECT No you're not. .p27.eu REJECT No you're not. Run postmap on the file to build/update the database file. Note that this will only prevent senders from spoofing the envelope from address: Return-Path: <[hidden email]> It does not affect the From: header in the mail: From: p27.eu <[hidden email]> You need a spam filter if you want to address that as well. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky |
Re: not an open relay, but something happened
|
|
On 15/12/2020 12:36, Ansgar Wiechers wrote:
> On 2020-12-15 Jeff Abrahamson wrote: >> I received an obvious fishing mail today from [hidden email] (my own >> domain). I appear not to be running an open relay [...] >> >> Am I reading this wrong? Why was that able to happen? I would have >> expected a reject because something that is not my domain claimed to be >> sending mail from my domain without authentication. > Unless I'm misunderstanding something, the mail is being sent to a > (presumably) valid recipient on your server: > > X-Original-To: [hidden email] > > so your mail server is going to accept and deliver it. Yes, you're right. I was confusing sending _through_ to just spoofing _from_. They are, of course, quite different. Thanks. > Spoofing the envelope from address (Return-Path: <[hidden email]>) is > actually valid (per the SMTP protocol) and a common occurrence for mail > sent by bad actors. Is prohibiting spoofing envelope from recommended? I'm not clear on what, if anything, it would break. I note that this doesn't happen to me often. -- Jeff Abrahamson +33 6 24 40 01 57 +44 7920 594 255 http://p27.eu/jeff/ http://transport-nantes.com/ |
Re: not an open relay, but something happened
|
|
On 2020-12-15 Jeff Abrahamson wrote:
> On 15/12/2020 12:36, Ansgar Wiechers wrote: >> Spoofing the envelope from address (Return-Path: <[hidden email]>) is >> actually valid (per the SMTP protocol) and a common occurrence for >> mail sent by bad actors. > > Is prohibiting spoofing envelope from recommended? I'm not clear on > what, if anything, it would break. I note that this doesn't happen to > me often. Depends on what your mail infrastructure looks like. If only allowed mail (i.e. anything that is allowed further up in the restrictions, like mynetworks or authenticated users) should be allowed to send mail with a From address like that I'd say you can safely add that restriction. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky |
Re: not an open relay, but something happened
|
|
In reply to this post by Jeff Abrahamson
Jeff Abrahamson skrev den 2020-12-15 12:17:
> I received an obvious fishing mail today from [hidden email] (my own > domain). I appear not to be running an open relay (say the sorts of > websites that offer to check these things), and yet this happened: why do you accept your own domain in port 25 as envelope sender ?, you should reject this > Am I reading this wrong? Why was that able to happen? I would have > expected a reject because something that is not my domain claimed to > be sending mail from my domain without authentication. its not openrelay, but 100% forged sender domain, there is no dkim problem, aslong as opendkim does not see client ip as internal network, then it would be dkim sign of forged sender :/ why spammers try it is that spamassassin naively have whitelist_from, you should not use this, but only test on whitelist_auth |
|
|
On Tuesday, December 15, 2020 5:57:45 PM CET, Benny Pedersen wrote:
> why do you accept your own domain in port 25 as envelope sender > ? because i want to receive my own posts in this or any other mailing list. >, you should reject this only if you want to prevent receiving your own post to this or any other mailing list. or is there another way to achieve this? greetings... |
Re: not an open relay, but something happened
|
|
Michael skrev den 2020-12-15 18:50:
> On Tuesday, December 15, 2020 5:57:45 PM CET, Benny Pedersen wrote: >> why do you accept your own domain in port 25 as envelope sender ? > because i want to receive my own posts in this or any other mailing > list. envelope sender is not mail from >> , you should reject this > only if you want to prevent receiving your own post to this or any > other mailing list. is spf diffrent ? envelope sender is not mail from > or is there another way to achieve this? reject local domains in envelope sender is safe > greetings... Mary Xmax |
Re: not an open relay, but something happened
|
|
In reply to this post by Michael-5
On Tue, Dec 15, 2020 at 06:50:59PM +0100, Michael wrote:
> On Tuesday, December 15, 2020 5:57:45 PM CET, Benny Pedersen wrote: > > Why do you accept your own domain in port 25 as envelope sender? > > Because I want to receive my own posts in this or any other mailing list. Mailing lists as postfix-users change the *envelope* sender, so that bounces go to the list manager for automated processing, rather than the original poster. The treatment of "RFC2822.From" (the "From:" message header) varies by list and may depend on whether the sender's domain employs DMARC (I am not known for endorsing DMARC). For many domains it is reasonably safe to reject external mail that forges the envelope sender domain. This is only an issue with simple alias expansion when the sender is a member of some informal list hosted outside his domain. -- Viktor. |
Re: not an open relay, but something happened
|
|
In reply to this post by Benny Pedersen-2
Dnia 15.12.2020 o godz. 19:01:34 Benny Pedersen pisze:
> > reject local domains in envelope sender is safe The only case when this may cause trouble is when someone with mail account outside your domain (say [hidden email]) is forwarding mail to your domain (say to [hidden email]), and you send mail from your domain (say from [hidden email]) to [hidden email]. Then it will be sent back to your server with envelope-from from your domain ([hidden email]). -- Regards, Jaroslaw Rafa [hidden email] -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." |
Re: not an open relay, but something happened
|
|
In reply to this post by Jeff Abrahamson
On 12/15/2020 5:17 AM, Jeff Abrahamson wrote: > The received mail had headers that looked like this: > ... > Received: from p27.eu (unknown [185.222.57.81]) > by nantes-1.p27.eu (Postfix) with ESMTP id 8AFC8FF74D > for <[hidden email]>; Tue, 15 Dec 2020 11:58:03 +0100 (CET) One safe thing you can do is reject outside, unauthenticated hosts that HELO with your own domain name. This is as close to 100% safe as any antispam control. It probably won't catch a whole lot of spam, but it would have gotten this one. Something like: # main.cf smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access pcre:/etc/postfix/helo_access.pcre # /etc/postfix/helo_access.pcre /\.?p27\.eu$/ REJECT invalid HELO hostname Also consider using one or two reliable dns block lists, such as reject_rbl_client zen.spamhaus.org -- Noel Jones |
|
|
In reply to this post by Michael-5
> On 15 Dec 2020, at 10:50, Michael <[hidden email]> wrote: > > On Tuesday, December 15, 2020 5:57:45 PM CET, Benny Pedersen wrote: >> why do you accept your own domain in port 25 as envelope sender ? > > because i want to receive my own posts in this or any other mailing list. That is not relevant. Message "From: " you on a mailing list are not "From " you. (From: header versus envelope from. >> , you should reject this > > only if you want to prevent receiving your own post to this or any other mailing list. No. You should always reject mail claiming to come from your domain that is not coming from your domain. Always. ALL WAYS. -- Once upon a time the plural of 'wizard' was 'war'. --The Last Continent |
| Free forum by Nabble | Edit this page |