Block E-Mails with Spoofed MAIL FROM:

Discussion in 'General' started by Chris Tripp, May 31, 2018.

  1. Chris Tripp

    Chris Tripp New Member

    I have a user ([email protected]) that recieved an "Invoice" through my mail server.

    How do I block unauthenticated users from sending/relaying email through my mail server with my internal domain? I would expect emails from internal domains to always require authentication.

    Here are the headers from the message: (SPF passed, Envelope-From/Return-Path do NOT match Mail From)

    Code:
    Received: from email.cttechcorp.com (70.62.123.171) by
     MAIL.metrotestbalance.com (192.168.234.15) with Microsoft SMTP Server (TLS)
     id 14.3.382.0; Thu, 31 May 2018 16:02:55 -0400
    Received: from localhost (localhost [127.0.0.1])    by email.cttechcorp.com
     (Postfix) with ESMTP id 68F3642280B    for <[email protected]>; Thu, 31
     May 2018 16:02:54 -0400 (EDT)
    X-Virus-Scanned: Debian amavisd-new at email.cttechcorp.com
    Received: from email.cttechcorp.com ([127.0.0.1])    by localhost
     (email.cttechcorp.com [127.0.0.1]) (amavisd-new, port 10024)    with ESMTP id
     8wtowZqBgyEL for <[email protected]>;    Thu, 31 May 2018 16:02:52 -0400
     (EDT)
    Received-SPF: pass (evirtualservices.com: 162.144.59.77 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'ptr' matched)) receiver=email.cttechcorp.com; identity=mailfrom; envelope-from="[email protected]"; helo=server.evirtualservices.com; client-ip=162.144.59.77
    Received: from server.evirtualservices.com (server.evirtualservices.com
     [162.144.59.77])    by email.cttechcorp.com (Postfix) with ESMTPS id 73AA54222F0
        for <[email protected]>; Thu, 31 May 2018 16:02:44 -0400 (EDT)
    DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=evirtualservices.com; s=default; h=Content-Type:MIME-Version:Subject:
        Message-ID:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:
        Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
        Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
        List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
         bh=xlWjWGFOLaEJNf431rnvB5rqSzZdapu7EEWCWB0xN2s=; b=dXvR1Ym9qQahQRokAfaOvYY3f
        DjWlRoHknFO0D60JM+3EJ9cYuse2qPooqGUYY53R09i1vvTuRSWcy7QmzQRHSXXn9sEojf2P3mC7l
        9XbNMMX6yGI6nxdWvpGDrWSyt7;
    Received: from dynamic-186-154-204-220.dynamic.etb.net.co
     ([186.154.204.220]:63965 helo=10.0.0.25)    by server.evirtualservices.com with
     esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)    (Exim 4.89_1)
        (envelope-from <[email protected]>)    id 1fOTmW-0001vg-HD
        for [email protected]; Thu, 31 May 2018 20:02:44 +0000
    Date: Thu, 31 May 2018 15:01:22 -0500
    From: <[email protected]>, Todd
        <[email protected]>
    To: <[email protected]>
    Message-ID: <[email protected]>
    Subject: Emailing: F543407LI 30623, P881638MJ 92790, F27113FP 377590, K424599MV   28466, N806850KN 927395
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_00B5_B6416AE5.A0869422"
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - server.evirtualservices.com
    X-AntiAbuse: Original Domain - metrotestbalance.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - evirtualservices.com
    X-Get-Message-Sender-Via: server.evirtualservices.com: authenticated_id: [email protected]
    X-Authenticated-Sender: server.evirtualservices.com: [email protected]
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    Return-Path: [email protected]
     
  2. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

  3. Chris Tripp

    Chris Tripp New Member

    Installed per README...
    We'll see how it works.
    Thanks!
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Spamassassin might be able to score those higher, but what you're talking about can be outright rejected before you ever send it to spamassassin. Make sure you have a current ISPConfig version, then enable System > Server Config > Mail (tab) > Reject sender and login mismatch, and make sure smtpd_reject_unlisted_sender is set to yes in /etc/postfix/main.cf .. that might be the default with ispconfig now, I don't remember.
     
  5. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    but this is just true for local/client sent mails, not for receiving @Jesse Norell
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Both settings should apply to incoming as well as originating and client sent mail. reject_sender_login_mismatch is in smtpd_sender_login_maps before permit_mynetworks and permit_sasl_authenticated.
    smtpd_reject_unlisted_sender is a setting itself (not part of client/sender/recipient restrictions), and would apply to all incoming mail, at least how I understand it: http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender

    Disclaimer: I've tested some of that in the past, but it's been a while and I don't remember specifics - it's possible my memory is off.
     
  7. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    actually totally did not read that.

    hmm soo was that sender authed or not? if not, u might have an issue with your mailconfig.



    hehe nice trick used here, some example / dist-configs include 10.0.0.0/8 networkt in some way as allowed / local network. dunno what happens with hel=$allowed_local_ip but looks interesting.
     

Share This Page