email issue - spoofed email not caught

Discussion in 'General' started by dmgeurts, Dec 12, 2016.

  1. dmgeurts

    dmgeurts Member

    Have spent some time looking into this problem and finding I'm a little out of my depth with regards to Postfix logic. Running a mirrored set of ISPConfig 3.1 servers on Ubuntu 16.04. Have policyd-spf working nicely and the domain in question has SPF, DKIM and DMARC set up and working. However I'm baffled why the server accepted a spoofed email and didn't just drop it.

    Any light anyone could shed on this would be most welcome. It makes me wonder if despite having set up the domain for DMARC the servers are checking DMARC themselves, I guess not as the perfect server and ISPConfig tutorials only cover SPF?

    Relevant log entries:
    Code:
    Dec 12 10:45:17 server postfix/postscreen[3491]: CONNECT from [197.155.198.94]:2845 to [79.170.*.*]:25
Dec 12 10:45:23 server postfix/postscreen[3491]: PASS NEW [197.155.198.94]:2845
Dec 12 10:45:23 server postfix/smtpd[29095]: connect from dhcpb894adsl.econet.co.ls[197.155.198.94]
Dec 12 10:45:27 server postfix/smtpd[29095]: NOQUEUE: filter: RCPT from dhcpb894adsl.econet.co.ls[197.155.198.94]: <Lula94@geurts**.com>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<Lula94@geurts**.com> to=<d.m.geurts@geurts**.com> proto=ESMTP helo=<dhcpb894adsl.econet.co.ls>
Dec 12 10:45:27 server postfix/smtpd[29095]: NOQUEUE: filter: RCPT from dhcpb894adsl.econet.co.ls[197.155.198.94]: <Lula94@geurts**.com>: Sender address triggers FILTER amavis:[127.0.0.1]:10024; from=<Lula94@geurts**.com> to=<d.m.geurts@geurts**.com> proto=ESMTP helo=<dhcpb894adsl.econet.co.ls>
Dec 12 10:45:27 server policyd-spf[25791]: None; identity=helo; client-ip=197.155.198.94; helo=dhcpb894adsl.econet.co.ls; envelope-from=lula94@geurts**.com; receiver=d.m.geurts@geurts**.com
Dec 12 10:45:32 server policyd-spf[25791]: None; identity=mailfrom; client-ip=197.155.198.94; helo=dhcpb894adsl.econet.co.ls; envelope-from=lula94@geurts**.com; receiver=d.m.geurts@geurts**.com
Dec 12 10:45:32 server postfix/smtpd[29095]: 9A74BC0A23: client=dhcpb894adsl.econet.co.ls[197.155.198.94]
Dec 12 10:45:51 server postfix/smtpd[29095]: disconnect from dhcpb894adsl.econet.co.ls[197.155.198.94] ehlo=1 mail=1 rcpt=1 data=1 commands=4
Dec 12 10:45:53 server amavis[30330]: (30330-19) Passed CLEAN {RelayedInbound}, [197.155.198.94]:2845 [197.155.198.94] <Lula94@geurts**.com> -> <d.m.geurts@geurts**.com>, Queue-ID: 9A74BC0A23, Message-ID: <[email protected]>, mail_id: BkqIeFDH9KyB, Hits: 0.001, size: 46874, queued_as: 81B83C0A2D, 2277 ms
    My understanding so far is that the server receives the email.
    1) HELO check passes
    2) SPF check weirdly succeeds when the SPF record does not permit "197.155.198.94" to send for geurts**.com

    SPF record for geurts**.com: "v=spf1 mx a include:_spf.maizymoo.com -all"
    Recursive SPF: "v=spf1 ip4:79.170.93.67/32 ip4:37.97.222.17/32 ip6:2a02:348:39:5d43::1/128 ip6:2a01:7c8:aac4:f::1/128 -all"

    Same domain, but SPF failed as it should:
    Code:
    Dec  6 05:08:42 server postfix/postscreen[3491]: CONNECT from [58.177.137.131]:63524 to [79.170.*.*]:25
Dec  6 05:08:48 server postfix/postscreen[3491]: PASS NEW [58.177.137.131]:63524
Dec  6 05:08:48 server postfix/smtpd[10729]: connect from 058177137131.ctinets.com[58.177.137.131]
Dec  6 05:08:49 server postfix/smtpd[10729]: NOQUEUE: filter: RCPT from 058177137131.ctinets.com[58.177.137.131]: <office@geurts**.com>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<office@geurts**.com> to=<d.m.geurts@geurts**.com> proto=ESMTP helo=<058177137131.ctinets.com>
Dec  6 05:08:49 server postfix/smtpd[10729]: NOQUEUE: filter: RCPT from 058177137131.ctinets.com[58.177.137.131]: <office@geurts**.com>: Sender address triggers FILTER amavis:[127.0.0.1]:10024; from=<office@geurts**.com> to=<d.m.geurts@geurts**.com> proto=ESMTP helo=<058177137131.ctinets.com>
Dec  6 05:08:49 server policyd-spf[3228]: None; identity=helo; client-ip=58.177.137.131; helo=058177137131.ctinets.com; envelope-from=office@geurts**.com; receiver=d.m.geurts@geurts**.com
Dec  6 05:08:55 server policyd-spf[3228]: Fail; identity=mailfrom; client-ip=58.177.137.131; helo=058177137131.ctinets.com; envelope-from=office@geurts**.com; receiver=d.m.geurts@geurts**.com
Dec  6 05:08:55 server postfix/smtpd[10729]: NOQUEUE: reject: RCPT from 058177137131.ctinets.com[58.177.137.131]: 550 5.7.1 <d.m.geurts@geurts**.com>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=office@geurts**.com;ip=58.177.137.131;r=d.m.geurts@geurts**.com; from=<office@geurts**.com> to=<d.m.geurts@geurts**.com> proto=ESMTP helo=<058177137131.ctinets.com>
Dec  6 05:08:56 server postfix/smtpd[10729]: disconnect from 058177137131.ctinets.com[58.177.137.131] ehlo=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=3/5
    main.cf: smtpd_recipient_restrictions
    Code:
    permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/policy-spf
     
    Last edited: Dec 12, 2016
    dmgeurts, Dec 12, 2016
    #1
  2. dmgeurts

    dmgeurts Member

    Anyone got a decent article on adding opendmarc to ISPconfig 3.1 on Ubuntu 16.04? There's a few I found but cautious regarding breaking things that are working now.
     
    dmgeurts, Dec 12, 2016
    #2

Share This Page