reject spoofed emails on Postfix

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

reject spoofed emails on Postfix

Selcuk Yazar
Hi,

We have Postfix 2.6.6 on Redhat. I installed open-spf , open-dmarc , and dkim. I think everything is fine, but we have e-mail spoofing :(

how can i correct this ?

thanks in advance

Received-SPF: pass (spf2.spf.guru: Sender is authorized to use 'bounces+3150432-2a15-user=[hidden email]' in 'mfrom' identity (mechanism 'include:sendgrid.net' matched)) receiver=domain; identity=mailfrom; envelope-from="bounces+3150432-2a15-user=[hidden email]"; helo=o1.7nf.fshared.sendgrid.net; client-ip=167.89.55.67
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.domain 261CB7BB9CD
Received: from o1.7nf.fshared.sendgrid.net (o1.7nf.fshared.sendgrid.net [167.89.55.67])
	(using TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by domain (Postfix) with ESMTPS id 261CB7BB9CD
	for <user@domain>; Wed, 27 Dec 2017 16:16:31 +0300 (+03)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=spf.guru; 
	h=subject:from:to:mime-version:content-type; s=s1; 
	bh=G4EhwYTkXUk041GBBhrYcd5Q5Vw=; b=Lq29h//IIcNVD8yK8GtjU6Cg2U9Tf
	DE8dC6/iuLLnFZdOmaqTYWsiVk1Z+k+EVAlz1CVXVashDtbDtiBHsNWJRnoKAgTd
	ETeeoHGxlbisFwGbinLbKFXrTow1CRPkBujdIWgTgL2d2ok5MRzfo0UdAuMO1xlM
	z8AIf6VCo8EnOs=
Received: by filter0025p3mdw1.sendgrid.net with SMTP id filter0025p3mdw1-23352-5A439D2C-6
        2017-12-27 13:16:28.133251847 +0000 UTC
Received: from spf.guru (192.239.195.35.bc.googleusercontent.com [35.195.239.192])
	by ismtpd0006p1lon1.sendgrid.net (SG) with ESMTP id Zh96E147TxWVqAnTFGlWbA
	for <user@domain>; Wed, 27 Dec 2017 13:16:27.975 +0000 (UTC)
Message-ID: <[hidden email]>
Date: Wed, 27 Dec 2017 13:16:28 +0000 (UTC)
Subject: my emails
From: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: reject spoofed emails on Postfix

Dominic Raferd
On 27 December 2017 at 13:31, Selcuk Yazar <[hidden email]> wrote:

> Hi,
>
> We have Postfix 2.6.6 on Redhat. I installed open-spf , open-dmarc , and
> dkim. I think everything is fine, but we have e-mail spoofing :(
>
> how can i correct this ?
>
> thanks in advance
>
> Received-SPF: pass (spf2.spf.guru: Sender is authorized to use
> 'bounces+3150432-2a15-user=[hidden email]' in 'mfrom' identity
> (mechanism 'include:sendgrid.net' matched)) receiver=domain;
> identity=mailfrom;
> envelope-from="bounces+3150432-2a15-user=[hidden email]";
> helo=o1.7nf.fshared.sendgrid.net; client-ip=167.89.55.67
> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.domain 261CB7BB9CD
> Received: from o1.7nf.fshared.sendgrid.net (o1.7nf.fshared.sendgrid.net
> [167.89.55.67])
> (using TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits))
> (No client certificate requested)
> by domain (Postfix) with ESMTPS id 261CB7BB9CD
> for <user@domain>; Wed, 27 Dec 2017 16:16:31 +0300 (+03)
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=spf.guru;
> h=subject:from:to:mime-version:content-type; s=s1;
> bh=G4EhwYTkXUk041GBBhrYcd5Q5Vw=; b=Lq29h//IIcNVD8yK8GtjU6Cg2U9Tf
> DE8dC6/iuLLnFZdOmaqTYWsiVk1Z+k+EVAlz1CVXVashDtbDtiBHsNWJRnoKAgTd
> ETeeoHGxlbisFwGbinLbKFXrTow1CRPkBujdIWgTgL2d2ok5MRzfo0UdAuMO1xlM
> z8AIf6VCo8EnOs=
> Received: by filter0025p3mdw1.sendgrid.net with SMTP id
> filter0025p3mdw1-23352-5A439D2C-6
>         2017-12-27 13:16:28.133251847 +0000 UTC
> Received: from spf.guru (192.239.195.35.bc.googleusercontent.com
> [35.195.239.192])
> by ismtpd0006p1lon1.sendgrid.net (SG) with ESMTP id Zh96E147TxWVqAnTFGlWbA
> for <user@domain>; Wed, 27 Dec 2017 13:16:27.975 +0000 (UTC)
> Message-ID: <[hidden email]>
> Date: Wed, 27 Dec 2017 13:16:28 +0000 (UTC)
> Subject: my emails
> From: [hidden email]

This question might be better directed to the opendmarc mailing list -
http://www.trusteddomain.org/mailman/listinfo/opendmarc-users.

I guess opendmarc and/or opendkim is not configured correctly. Since
the internal 'From:' is @whatsapp.com I would expect opendmarc to have
rejected the email. Check in /etc/opendmarc.conf for:

RejectFailures true

Without this opendmarc runs in 'test' mode and won't reject anything.

I am also puzzled not to see any header from opendkim, this is
required by opendmarc (which cannot perform its own dkim checks). So
check if opendkim is working correctly, it should be heading a header
to emails before they are passed to opendmarc. The AuthServID used by
opendkim in this header should set in /etc/opendmarc.conf at
'TrustedAuthServIDs' so that this header info (and not any other dkim
headers) can be trusted by opendmarc.

BTW, since you have openDMARC 1.3.2 I suggest you use in /etc/opendmarc.conf:

SPFIgnoreResults True
SPFSelfValidate True

This would mean you no longer have to worry about (and can remove from
your setup) the separate spf checking - openDMARC will do its own
(which was unreliable in earlier versions).