Block E-Mails with Spoofed MAIL FROM:

Discussion in 'General' started by Chris Tripp, May 31, 2018.

  1. Chris Tripp

    Chris Tripp New Member

    I have a user ([email protected]) that recieved an "Invoice" through my mail server.

    How do I block unauthenticated users from sending/relaying email through my mail server with my internal domain? I would expect emails from internal domains to always require authentication.

    Here are the headers from the message: (SPF passed, Envelope-From/Return-Path do NOT match Mail From)

    Code:
    Received: from email.cttechcorp.com (70.62.123.171) by
     MAIL.metrotestbalance.com (192.168.234.15) with Microsoft SMTP Server (TLS)
     id 14.3.382.0; Thu, 31 May 2018 16:02:55 -0400
    Received: from localhost (localhost [127.0.0.1])    by email.cttechcorp.com
     (Postfix) with ESMTP id 68F3642280B    for <[email protected]>; Thu, 31
     May 2018 16:02:54 -0400 (EDT)
    X-Virus-Scanned: Debian amavisd-new at email.cttechcorp.com
    Received: from email.cttechcorp.com ([127.0.0.1])    by localhost
     (email.cttechcorp.com [127.0.0.1]) (amavisd-new, port 10024)    with ESMTP id
     8wtowZqBgyEL for <[email protected]>;    Thu, 31 May 2018 16:02:52 -0400
     (EDT)
    Received-SPF: pass (evirtualservices.com: 162.144.59.77 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'ptr' matched)) receiver=email.cttechcorp.com; identity=mailfrom; envelope-from="[email protected]"; helo=server.evirtualservices.com; client-ip=162.144.59.77
    Received: from server.evirtualservices.com (server.evirtualservices.com
     [162.144.59.77])    by email.cttechcorp.com (Postfix) with ESMTPS id 73AA54222F0
        for <[email protected]>; Thu, 31 May 2018 16:02:44 -0400 (EDT)
    DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=evirtualservices.com; s=default; h=Content-Type:MIME-Version:Subject:
        Message-ID:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:
        Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
        Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
        List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
         bh=xlWjWGFOLaEJNf431rnvB5rqSzZdapu7EEWCWB0xN2s=; b=dXvR1Ym9qQahQRokAfaOvYY3f
        DjWlRoHknFO0D60JM+3EJ9cYuse2qPooqGUYY53R09i1vvTuRSWcy7QmzQRHSXXn9sEojf2P3mC7l
        9XbNMMX6yGI6nxdWvpGDrWSyt7;
    Received: from dynamic-186-154-204-220.dynamic.etb.net.co
     ([186.154.204.220]:63965 helo=10.0.0.25)    by server.evirtualservices.com with
     esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)    (Exim 4.89_1)
        (envelope-from <[email protected]>)    id 1fOTmW-0001vg-HD
        for [email protected]; Thu, 31 May 2018 20:02:44 +0000
    Date: Thu, 31 May 2018 15:01:22 -0500
    From: <[email protected]>, Todd
        <[email protected]>
    To: <[email protected]>
    Message-ID: <[email protected]>
    Subject: Emailing: F543407LI 30623, P881638MJ 92790, F27113FP 377590, K424599MV   28466, N806850KN 927395
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_00B5_B6416AE5.A0869422"
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - server.evirtualservices.com
    X-AntiAbuse: Original Domain - metrotestbalance.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - evirtualservices.com
    X-Get-Message-Sender-Via: server.evirtualservices.com: authenticated_id: [email protected]
    X-Authenticated-Sender: server.evirtualservices.com: [email protected]
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    Return-Path: [email protected]
     
  2. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

  3. Chris Tripp

    Chris Tripp New Member

    Installed per README...
    We'll see how it works.
    Thanks!
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

    Spamassassin might be able to score those higher, but what you're talking about can be outright rejected before you ever send it to spamassassin. Make sure you have a current ISPConfig version, then enable System > Server Config > Mail (tab) > Reject sender and login mismatch, and make sure smtpd_reject_unlisted_sender is set to yes in /etc/postfix/main.cf .. that might be the default with ispconfig now, I don't remember.
     
  5. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    but this is just true for local/client sent mails, not for receiving @Jesse Norell
     
  6. Jesse Norell

    Jesse Norell Well-Known Member

    Both settings should apply to incoming as well as originating and client sent mail. reject_sender_login_mismatch is in smtpd_sender_login_maps before permit_mynetworks and permit_sasl_authenticated.
    smtpd_reject_unlisted_sender is a setting itself (not part of client/sender/recipient restrictions), and would apply to all incoming mail, at least how I understand it: http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender

    Disclaimer: I've tested some of that in the past, but it's been a while and I don't remember specifics - it's possible my memory is off.
     
  7. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    actually totally did not read that.

    hmm soo was that sender authed or not? if not, u might have an issue with your mailconfig.



    hehe nice trick used here, some example / dist-configs include 10.0.0.0/8 networkt in some way as allowed / local network. dunno what happens with hel=$allowed_local_ip but looks interesting.
     

Share This Page