not an open relay, but something happened

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

not an open relay, but something happened

Jeff Abrahamson

I received an obvious fishing mail today from [hidden email] (my own domain).  I appear not to be running an open relay (say the sorts of websites that offer to check these things), and yet this happened:

Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: warning: hostname hosted-by.rootlayer.net does not resolve to address 185.222.57.81
Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: connect from unknown[185.222.57.81]
Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: 8AFC8FF74D: client=unknown[185.222.57.81]
Dec 15 11:58:03 nantes-1 postfix/cleanup[31161]: 8AFC8FF74D: message-id=[hidden email]
Dec 15 11:58:03 nantes-1 opendkim[1637]: 8AFC8FF74D: [185.222.57.81] [185.222.57.81] not internal
Dec 15 11:58:03 nantes-1 opendkim[1637]: 8AFC8FF74D: not authenticated
Dec 15 11:58:03 nantes-1 opendkim[1637]: 8AFC8FF74D: no signature data
Dec 15 11:58:03 nantes-1 postfix/qmgr[17671]: 8AFC8FF74D: from=[hidden email], size=2422, nrcpt=1 (queue active)
Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: disconnect from unknown[185.222.57.81] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Dec 15 11:58:03 nantes-1 dovecot: lda(jeff): msgid=[hidden email]: saved mail to INBOX
Dec 15 11:58:03 nantes-1 postfix/local[31162]: 8AFC8FF74D: to=[hidden email], relay=local, delay=0.12, delays=0.08/0.01/0/0.03, dsn=2.0.0, status=sent (delivered to command: /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}")
Dec 15 11:58:03 nantes-1 postfix/qmgr[17671]: 8AFC8FF74D: removed

The received mail had headers that looked like this:

Return-Path: [hidden email]
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Received: from p27.eu (unknown [185.222.57.81])
    by nantes-1.p27.eu (Postfix) with ESMTP id 8AFC8FF74D
    for [hidden email]; Tue, 15 Dec 2020 11:58:03 +0100 (CET)
From: p27.eu [hidden email]
To: [hidden email]
Subject: =?UTF-8?B?TGEgc2Vzc2lvbiBhIGV4cGlyw6kg?=p27.eu
Date: 15 Dec 2020 02:58:03 -0800
Message-ID: [hidden email]
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0012_893BC42D.902C898B"

Am I reading this wrong?  Why was that able to happen?  I would have expected a reject because something that is not my domain claimed to be sending mail from my domain without authentication.

-- 
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255

http://p27.eu/jeff/
http://transport-nantes.com/
Reply | Threaded
Open this post in threaded view
|

Re: not an open relay, but something happened

Ansgar Wiechers
On 2020-12-15 Jeff Abrahamson wrote:

> I received an obvious fishing mail today from [hidden email] (my own
> domain).  I appear not to be running an open relay (say the sorts of
> websites that offer to check these things), and yet this happened:
>
>     Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: warning: hostname
>     hosted-by.rootlayer.net does not resolve to address 185.222.57.81
>     Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: connect from
>     unknown[185.222.57.81]
>     Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: 8AFC8FF74D:
>     client=unknown[185.222.57.81]
>     Dec 15 11:58:03 nantes-1 postfix/cleanup[31161]: 8AFC8FF74D:
>     message-id=<[hidden email]>
>     Dec 15 11:58:03 nantes-1 opendkim[1637]: 8AFC8FF74D: [185.222.57.81]
>     [185.222.57.81] not internal
>     Dec 15 11:58:03 nantes-1 opendkim[1637]: 8AFC8FF74D: not authenticated
>     Dec 15 11:58:03 nantes-1 opendkim[1637]: 8AFC8FF74D: no signature data
>     Dec 15 11:58:03 nantes-1 postfix/qmgr[17671]: 8AFC8FF74D:
>     from=<[hidden email]>, size=2422, nrcpt=1 (queue active)
>     Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: disconnect from
>     unknown[185.222.57.81] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
>     Dec 15 11:58:03 nantes-1 dovecot: lda(jeff):
>     msgid=<[hidden email]>: saved mail to INBOX
>     Dec 15 11:58:03 nantes-1 postfix/local[31162]: 8AFC8FF74D:
>     to=<[hidden email]>, relay=local, delay=0.12, delays=0.08/0.01/0/0.03,
>     dsn=2.0.0, status=sent (delivered to command:
>     /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}")
>     Dec 15 11:58:03 nantes-1 postfix/qmgr[17671]: 8AFC8FF74D: removed
>
> The received mail had headers that looked like this:
>
>     Return-Path: <[hidden email]>
>     X-Original-To: [hidden email]
>     Delivered-To: [hidden email]
>     Received: from p27.eu (unknown [185.222.57.81])
>         by nantes-1.p27.eu (Postfix) with ESMTP id 8AFC8FF74D
>         for <[hidden email]>; Tue, 15 Dec 2020 11:58:03 +0100 (CET)
>     From: p27.eu <[hidden email]>
>     To: [hidden email]
>     Subject: =?UTF-8?B?TGEgc2Vzc2lvbiBhIGV4cGlyw6kg?=p27.eu
>     Date: 15 Dec 2020 02:58:03 -0800
>     Message-ID: <[hidden email]>
>     MIME-Version: 1.0
>     Content-Type: multipart/alternative;
>         boundary="----=_NextPart_000_0012_893BC42D.902C898B"
>
> Am I reading this wrong?  Why was that able to happen?  I would have
> expected a reject because something that is not my domain claimed to be
> sending mail from my domain without authentication.

Unless I'm misunderstanding something, the mail is being sent to a
(presumably) valid recipient on your server:

    X-Original-To: [hidden email]

so your mail server is going to accept and deliver it.

Spoofing the envelope from address (Return-Path: <[hidden email]>) is
actually valid (per the SMTP protocol) and a common occurrence for mail
sent by bad actors. You need to explicitly disallow sending from your
own domain(s) for inbound mail in your Postfix config if you don't want
people to be able to send mail with an envelope address of, say
[hidden email].

Add this check to the restrictions in main.cf:

  check_sender_access hash:/etc/postfix/sender_from_my_domains

and put your domains in /etc/postfix/sender_from_my_domains:

  p27.eu REJECT No you're not.
  .p27.eu REJECT No you're not.

Run postmap on the file to build/update the database file.

Note that this will only prevent senders from spoofing the envelope from
address:

  Return-Path: <[hidden email]>

It does not affect the From: header in the mail:

  From: p27.eu <[hidden email]>

You need a spam filter if you want to address that as well.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: not an open relay, but something happened

Jeff Abrahamson
On 15/12/2020 12:36, Ansgar Wiechers wrote:

> On 2020-12-15 Jeff Abrahamson wrote:
>> I received an obvious fishing mail today from [hidden email] (my own
>> domain).  I appear not to be running an open relay [...]
>>
>> Am I reading this wrong?  Why was that able to happen?  I would have
>> expected a reject because something that is not my domain claimed to be
>> sending mail from my domain without authentication.
> Unless I'm misunderstanding something, the mail is being sent to a
> (presumably) valid recipient on your server:
>
>     X-Original-To: [hidden email]
>
> so your mail server is going to accept and deliver it.

Yes, you're right.  I was confusing sending _through_ to just spoofing
_from_.  They are, of course, quite different.

Thanks.


> Spoofing the envelope from address (Return-Path: <[hidden email]>) is
> actually valid (per the SMTP protocol) and a common occurrence for mail
> sent by bad actors.
Is prohibiting spoofing envelope from recommended?  I'm not clear on
what, if anything, it would break.  I note that this doesn't happen to
me often.

--
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255

http://p27.eu/jeff/
http://transport-nantes.com/

Reply | Threaded
Open this post in threaded view
|

Re: not an open relay, but something happened

Ansgar Wiechers
On 2020-12-15 Jeff Abrahamson wrote:
> On 15/12/2020 12:36, Ansgar Wiechers wrote:
>> Spoofing the envelope from address (Return-Path: <[hidden email]>) is
>> actually valid (per the SMTP protocol) and a common occurrence for
>> mail sent by bad actors.
>
> Is prohibiting spoofing envelope from recommended?  I'm not clear on
> what, if anything, it would break.  I note that this doesn't happen to
> me often.

Depends on what your mail infrastructure looks like. If only allowed
mail (i.e. anything that is allowed further up in the restrictions, like
mynetworks or authenticated users) should be allowed to send mail with a
From address like that I'd say you can safely add that restriction.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: not an open relay, but something happened

Benny Pedersen-2
In reply to this post by Jeff Abrahamson
Jeff Abrahamson skrev den 2020-12-15 12:17:
> I received an obvious fishing mail today from [hidden email] (my own
> domain).  I appear not to be running an open relay (say the sorts of
> websites that offer to check these things), and yet this happened:

why do you accept your own domain in port 25 as envelope sender ?, you
should reject this

> Am I reading this wrong?  Why was that able to happen?  I would have
> expected a reject because something that is not my domain claimed to
> be sending mail from my domain without authentication.

its not openrelay, but 100% forged sender domain, there is no dkim
problem, aslong as opendkim does not see client ip as internal network,
then it would be dkim sign of forged sender :/

why spammers try it is that spamassassin naively have whitelist_from,
you should not use this, but only test on whitelist_auth
Reply | Threaded
Open this post in threaded view
|

Re: not an open relay, but something happened

Michael-5
On Tuesday, December 15, 2020 5:57:45 PM CET, Benny Pedersen wrote:
> why do you accept your own domain in port 25 as envelope sender
> ?

because i want to receive my own posts in this or any other mailing list.

>, you should reject this

only if you want to prevent receiving your own post to this or any other
mailing list.

or is there another way to achieve this?

greetings...
Reply | Threaded
Open this post in threaded view
|

Re: not an open relay, but something happened

Benny Pedersen-2
Michael skrev den 2020-12-15 18:50:
> On Tuesday, December 15, 2020 5:57:45 PM CET, Benny Pedersen wrote:
>> why do you accept your own domain in port 25 as envelope sender ?
> because i want to receive my own posts in this or any other mailing
> list.

envelope sender is not mail from

>> , you should reject this
> only if you want to prevent receiving your own post to this or any
> other mailing list.

is spf diffrent ?

envelope sender is not mail from

> or is there another way to achieve this?

reject local domains in envelope sender is safe

> greetings...

Mary Xmax
Reply | Threaded
Open this post in threaded view
|

Re: not an open relay, but something happened

Viktor Dukhovni
In reply to this post by Michael-5
On Tue, Dec 15, 2020 at 06:50:59PM +0100, Michael wrote:
> On Tuesday, December 15, 2020 5:57:45 PM CET, Benny Pedersen wrote:
> > Why do you accept your own domain in port 25 as envelope sender?
>
> Because I want to receive my own posts in this or any other mailing list.

Mailing lists as postfix-users change the *envelope* sender, so that
bounces go to the list manager for automated processing, rather than the
original poster.  The treatment of "RFC2822.From" (the "From:" message
header) varies by list and may depend on whether the sender's domain
employs DMARC (I am not known for endorsing DMARC).

For many domains it is reasonably safe to reject external mail that
forges the envelope sender domain.  This is only an issue with simple
alias expansion when the sender is a member of some informal list
hosted outside his domain.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: not an open relay, but something happened

Jaroslaw Rafa
In reply to this post by Benny Pedersen-2
Dnia 15.12.2020 o godz. 19:01:34 Benny Pedersen pisze:
>
> reject local domains in envelope sender is safe

The only case when this may cause trouble is when someone with mail account
outside your domain (say [hidden email]) is forwarding mail to your domain
(say to [hidden email]), and you send mail from your domain (say from
[hidden email]) to [hidden email].

Then it will be sent back to your server with envelope-from from your
domain ([hidden email]).
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: not an open relay, but something happened

Noel Jones-2
In reply to this post by Jeff Abrahamson

On 12/15/2020 5:17 AM, Jeff Abrahamson wrote:
> The received mail had headers that looked like this:
>
...
>     Received: from p27.eu (unknown [185.222.57.81])
>          by nantes-1.p27.eu (Postfix) with ESMTP id 8AFC8FF74D
>          for <[hidden email]>; Tue, 15 Dec 2020 11:58:03 +0100 (CET)

One safe thing you can do is reject outside, unauthenticated hosts
that HELO with your own domain name. This is as close to 100% safe
as any antispam control. It probably won't catch a whole lot of
spam, but it would have gotten this one.

Something like:
# main.cf
smtpd_recipient_restrictions =
   permit_mynetworks
   permit_sasl_authenticated
   check_helo_access pcre:/etc/postfix/helo_access.pcre

# /etc/postfix/helo_access.pcre
/\.?p27\.eu$/  REJECT invalid HELO hostname



Also consider using one or two reliable dns block lists, such as
reject_rbl_client zen.spamhaus.org




   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: not an open relay, but something happened

@lbutlr
In reply to this post by Michael-5


> On 15 Dec 2020, at 10:50, Michael <[hidden email]> wrote:
>
> On Tuesday, December 15, 2020 5:57:45 PM CET, Benny Pedersen wrote:
>> why do you accept your own domain in port 25 as envelope sender ?
>
> because i want to receive my own posts in this or any other mailing list.

That is not relevant. Message "From: " you on a mailing list are not "From " you.

(From: header versus envelope from.

>> , you should reject this
>
> only if you want to prevent receiving your own post to this or any other mailing list.

No. You should always reject mail claiming to come from your domain that is not coming from your domain.

Always. ALL WAYS.

--
Once upon a time the plural of 'wizard' was 'war'. --The Last
        Continent