Hello Today while checking security I stumbled upon a weird spoof problem. I have enabled SPF checking and and reject_sender_login_mismatch and everything works. But, If I try to send email from an external SMTP server and try to spoof as shown below, all my SPF and stuff checks will fail.
Information: My mail server hostname: mail.domain.tld My email addresses: us...@domain.tld and us...@domain.tld Using https://www.wormly.com/test_smtp_server <https://www.wormly.com/test_smtp_server> for easy testing Setting SMTP Server to my mail server or IP If I try to send from us...@domain.tld to us...@domain.tld, the email will be blocked by SPF check as it should. Now comes the fun part: If I try to send email from us...@mail.domain.tld or notarealu...@mail.domain.tld to us...@domain.tld the mail will pass through Postfix logs when spoofing us...@mail.domain.tld: Nov 9 06:06:15 ns4 postfix/smtpd[790]: 7A96E41865: client=node-mec2.wormly.com[1xx.xx.2xx.xx] Nov 9 06:06:16 ns4 postfix/cleanup[796]: 7A96E41865: info: header Subject: SMTP Test Message from node-mec2.wormly.com[1xx.xx.2xx.xx]; from=<us...@mail.domain.tld> to=<us...@domain.tld> proto=ESMTP helo=<www.wormly.com> Nov 9 06:06:16 ns4 postfix/cleanup[796]: 7A96E41865: message-id=<> Nov 9 06:06:16 ns4 postfix/qmgr[31577]: 7A96E41865: from=<us...@mail.domain.tld>, size=736, nrcpt=1 (queue active) Nov 9 06:06:16 ns4 clamsmtpd: 100044: accepted connection from: 127.0.0.1 Nov 9 06:06:16 ns4 postfix/smtpd[799]: connect from localhost[127.0.0.1] Nov 9 06:06:16 ns4 postfix/smtpd[799]: 1BDF54259A: client=localhost[127.0.0.1], orig_queue_id=7A96E41865, orig_client=node-mec2.wormly.com[1xx.xx.2xx.xx] Nov 9 06:06:16 ns4 postfix/cleanup[796]: 1BDF54259A: message-id=<> Nov 9 06:06:16 ns4 postfix/qmgr[31577]: 1BDF54259A: from=<us...@mail.domain.tld>, size=936, nrcpt=1 (queue active) Nov 9 06:06:16 ns4 clamsmtpd: 100044: from=us...@mail.domain.tld, to=us...@domain.tld, status=CLEAN Nov 9 06:06:16 ns4 postfix/smtp[797]: 7A96E41865: to=<us...@domain.tld>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.85, delays=0.76/0/0.04/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 1BDF54259A) Nov 9 06:06:16 ns4 postfix/qmgr[31577]: 7A96E41865: removed Nov 9 06:06:16 ns4 postfix/smtpd[799]: disconnect from localhost[127.0.0.1] Nov 9 06:06:16 ns4 postfix/smtpd[790]: disconnect from node-mec2.wormly.com[1xx.xx.2xx.xx] Nov 9 06:06:16 ns4 spamd[2694]: spamd: connection from localhost [127.0.0.1] at port 54746 Nov 9 06:06:16 ns4 spamd[2694]: spamd: setuid to user2.domain.tld succeeded Nov 9 06:06:16 ns4 spamd[2694]: spamd: processing message (unknown) for user2.domain.tld:1061 Nov 9 06:06:18 ns4 spamd[2694]: spamd: clean message (0.1/5.0) for us...@domain.tld:1061 in 2.0 seconds, 1041 bytes. Nov 9 06:06:18 ns4 spamd[2694]: spamd: result: . 0 - MISSING_MID scantime=2.0,size=1041,user=us...@domain.tld,uid=1061,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=54746,mid=(unknown),autolearn=no Nov 9 06:06:18 ns4 postfix/local[801]: 1BDF54259A: to=<user2.domain....@mail.domain.tld>, orig_to=<us...@domain.tld>, relay=local, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME) I am out of ideas on how to prevent this. Any help much appreciated. -- View this message in context: http://postfix.1071664.n5.nabble.com/Strange-spoof-problem-tp62897.html Sent from the Postfix Users mailing list archive at Nabble.com.
