Block E-Mails with Spoofed MAIL FROM:

Discussion in 'General' started by Chris Tripp, May 31, 2018.

  1. Chris Tripp

    Chris Tripp New Member

    I have a user ([email protected]) that recieved an "Invoice" through my mail server.

    How do I block unauthenticated users from sending/relaying email through my mail server with my internal domain? I would expect emails from internal domains to always require authentication.

    Here are the headers from the message: (SPF passed, Envelope-From/Return-Path do NOT match Mail From)

    Received: from ( by ( with Microsoft SMTP Server (TLS)
     id 14.3.382.0; Thu, 31 May 2018 16:02:55 -0400
    Received: from localhost (localhost [])    by
     (Postfix) with ESMTP id 68F3642280B    for <[email protected]>; Thu, 31
     May 2018 16:02:54 -0400 (EDT)
    X-Virus-Scanned: Debian amavisd-new at
    Received: from ([])    by localhost
     ( []) (amavisd-new, port 10024)    with ESMTP id
     8wtowZqBgyEL for <[email protected]>;    Thu, 31 May 2018 16:02:52 -0400
    Received-SPF: pass ( is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'ptr' matched)); identity=mailfrom; envelope-from="[email protected]";; client-ip=
    Received: from (
     [])    by (Postfix) with ESMTPS id 73AA54222F0
        for <[email protected]>; Thu, 31 May 2018 16:02:44 -0400 (EDT)
    DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Type:MIME-Version:Subject:
         bh=xlWjWGFOLaEJNf431rnvB5rqSzZdapu7EEWCWB0xN2s=; b=dXvR1Ym9qQahQRokAfaOvYY3f
    Received: from
     ([]:63965 helo=    by with
     esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)    (Exim 4.89_1)
        (envelope-from <[email protected]>)    id 1fOTmW-0001vg-HD
        for [email protected]; Thu, 31 May 2018 20:02:44 +0000
    Date: Thu, 31 May 2018 15:01:22 -0500
    From: <[email protected]>, Todd
        <[email protected]>
    To: <[email protected]>
    Message-ID: <[email protected]>
    Subject: Emailing: F543407LI 30623, P881638MJ 92790, F27113FP 377590, K424599MV   28466, N806850KN 927395
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname -
    X-AntiAbuse: Original Domain -
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain -
    X-Get-Message-Sender-Via: authenticated_id: [email protected]
    X-Authenticated-Sender: [email protected]
    Return-Path: [email protected]
  2. ISPConfig Developer ISPConfig Developer

  3. Chris Tripp

    Chris Tripp New Member

    Installed per README...
    We'll see how it works.
  4. Jesse Norell

    Jesse Norell Well-Known Member

    Spamassassin might be able to score those higher, but what you're talking about can be outright rejected before you ever send it to spamassassin. Make sure you have a current ISPConfig version, then enable System > Server Config > Mail (tab) > Reject sender and login mismatch, and make sure smtpd_reject_unlisted_sender is set to yes in /etc/postfix/ .. that might be the default with ispconfig now, I don't remember.
  5. ISPConfig Developer ISPConfig Developer

    but this is just true for local/client sent mails, not for receiving @Jesse Norell
  6. Jesse Norell

    Jesse Norell Well-Known Member

    Both settings should apply to incoming as well as originating and client sent mail. reject_sender_login_mismatch is in smtpd_sender_login_maps before permit_mynetworks and permit_sasl_authenticated.
    smtpd_reject_unlisted_sender is a setting itself (not part of client/sender/recipient restrictions), and would apply to all incoming mail, at least how I understand it:

    Disclaimer: I've tested some of that in the past, but it's been a while and I don't remember specifics - it's possible my memory is off.
  7. ISPConfig Developer ISPConfig Developer

    actually totally did not read that.

    hmm soo was that sender authed or not? if not, u might have an issue with your mailconfig.

    hehe nice trick used here, some example / dist-configs include networkt in some way as allowed / local network. dunno what happens with hel=$allowed_local_ip but looks interesting.

Share This Page