Re: Does postfix reject spoofed senders?

[Benny Pedersen]

Lorenzo Petracchi skrev den 2018-03-30 07:51:
Is there a reliable way to reject incoming mails with a spoofed e-mail 
address?


yes

i do check_sender_access from recipient maps, and aliases forwards, poor 
manns spf :=)


if your domains have spf, reject on fails

do not try reject from: header without dkim

if dkim fails it could still be wanted emails, since so many maillists 
breaks dkim :(


lastly could you define spoofed more in detail ?

Re: Does postfix reject spoofed senders?

[Dominic Raferd]

On 30 March 2018 at 08:09, Bastian Blank
 wrote:
> On Fri, Mar 30, 2018 at 12:03:37AM -0700, Sean Greenslade wrote:
>> On Fri, Mar 30, 2018 at 08:38:34AM +0200, Lorenzo Petracchi wrote:
>> > In the last few weeks our e-mail users are receiving many messages with
>> > their own address as From header.
>> >
>> > I understand that there are many legitimate reasons why the From header is
>> > free but I would like to understand if it is possible and if it makes sense
>> > to reject incoming mail that contains addresses in the form
>> > al...@mydomain.it in the header field when the sender is not an our SASL
>> > authenticated SMTP sender or when they do but does not own that address.
>> >
>> >Lorenzo
>>
>> This is basically what SPF is good for.
>
> No, it is not.  SPF does not care about the From header, only the
> envelope sender.
>
> DMARC in the other hand works on the From header, with a lot of
> collateral damage.

I agree SPF blocks based on the envelope sender not the From: header.
So although it might stop problems it is not guaranteed to do so. You
can use SPF/DKIM/DMARC for a more comprehensive solution which will
also enable others to block fake emails from domains under your
control::
1. ensure that all emails by genuine senders using your domain are
passing either SPF or DKIM checks (preferably DKIM, because SPF is
broken by relaying)
2. set up DMARC on your domain and implement opendmarc milter, then -
after testing with p=none - set p=reject, so that your mailservers and
others can block emails that have From: header email address with your
domain but do not pass SPF or DKIM with alignment.

You should also implement a header check to block From: headers where
the text (not the address) is spoofed to look like your domain. (BTW,
before I implemented protection against this we had a real case where
accounting staff were fooled into setting up a payment by this type of
trick):

/etc/postfix/main.cf:
header_checks = pcre:/etc/postfix/check_header.pcre

/etc/postfix/check_header.pcre:
if /^From:/
#   emails with From: @our_domains are not blocked here
#   - fake ones should be blocked by opendmarc milter
/((mydomain\.it|mydomain2\.tld)>?$/ DUNNO
# try to block emails that pretend to be from us by
# e.g. From: lore...@mydomain.it 
/mydomain\.it 
/Lorenzo Petracchi/i REJECT
endif

Re: Does postfix reject spoofed senders?

[Bastian Blank]

On Fri, Mar 30, 2018 at 12:03:37AM -0700, Sean Greenslade wrote:
> On Fri, Mar 30, 2018 at 08:38:34AM +0200, Lorenzo Petracchi wrote:
> > In the last few weeks our e-mail users are receiving many messages with
> > their own address as From header.
> > 
> > I understand that there are many legitimate reasons why the From header is
> > free but I would like to understand if it is possible and if it makes sense
> > to reject incoming mail that contains addresses in the form
> > al...@mydomain.it in the header field when the sender is not an our SASL
> > authenticated SMTP sender or when they do but does not own that address.
> > 
> >Lorenzo
> 
> This is basically what SPF is good for.

No, it is not.  SPF does not care about the From header, only the
envelope sender.

DMARC in the other hand works on the From header, with a lot of
collateral damage.

Bastian

-- 
I object to intellect without discipline;  I object to power without
constructive purpose.
-- Spock, "The Squire of Gothos", stardate 2124.5

Re: Does postfix reject spoofed senders?

[Sean Greenslade]

On Fri, Mar 30, 2018 at 08:38:34AM +0200, Lorenzo Petracchi wrote:
> In the last few weeks our e-mail users are receiving many messages with
> their own address as From header.
> 
> I understand that there are many legitimate reasons why the From header is
> free but I would like to understand if it is possible and if it makes sense
> to reject incoming mail that contains addresses in the form
> al...@mydomain.it in the header field when the sender is not an our SASL
> authenticated SMTP sender or when they do but does not own that address.
> 
>Lorenzo

This is basically what SPF is good for. I set up my mail server to
reject SPF failures on domains that I control, since I know that my
servers are the only ones authorized to send mail from those domains. I
used to get quite a bit of From: fakename@my.domain spam, and SPF
enforcement put a quick end to that.

--Sean

Re: Does postfix reject spoofed senders?

[Lorenzo Petracchi]

Il Venerdì 30/03/2018 08:05 Dominic Raferd ha scritto:

On 30 March 2018 at 06:51, Lorenzo Petracchi 
 wrote:



Is there a reliable way to reject incoming mails with a spoofed e-mail
address?


Please clarify what you mean.


In the last few weeks our e-mail users are receiving many messages with 
their own address as From header.


I understand that there are many legitimate reasons why the From header 
is free but I would like to understand if it is possible and if it makes 
sense to reject incoming mail that contains addresses in the form 
al...@mydomain.it in the header field when the sender is not an our SASL 
authenticated SMTP sender or when they do but does not own that address.


   Lorenzo

Re: Does postfix reject spoofed senders?

[Dominic Raferd]

On 30 March 2018 at 06:51, Lorenzo Petracchi  wrote:
> Is there a reliable way to reject incoming mails with a spoofed e-mail
> address?

Please clarify what you mean.

Does postfix reject spoofed senders?

[Lorenzo Petracchi]

Is there a reliable way to reject incoming mails with a spoofed e-mail 
address?


Lorenzo