spoofed domain emails coming through

Questions and answers about how to do stuff
Post Reply
sharktech
Posts: 70
Joined: 14 Jan 2014 14:23

spoofed domain emails coming through

Post by sharktech » 01 Oct 2015 15:19

Afternoon

had a few emails recently that have come through with the senders email as one of ours, is there a way to make it not accept the email if the sender is our domain? as they should only come from our exchange server

Thanks

zohman
Posts: 42
Joined: 12 Sep 2015 07:36

Re: spoofed domain emails coming through

Post by zohman » 01 Oct 2015 18:14

Yes!
if only you serving your domain no one should allowed to come and claim that he is you.
to do that use smtpd_restriction_classes with Postfix.

add things like this,
in /etc/postfix/main.cf:

smtpd_restriction_classes = external_sender_access, internal_sender_access
internal_sender_access = check_sender_access hash:/etc/postfix/internal_sender_access, reject
external_sender_access = check_sender_access hash:/etc/postfix/external_sender_access, permit

add "check_client_access cidr:/etc/postfix/network_sender_access" to smtpd_sender_restrictions with all other rules you have there.
example:
smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, check_client_access cidr:/etc/postfix/network_sender_access

creating the files:
/etc/postfix/network_sender_access:
(change 192.168.0.0 to your network segment using cidr (/24 /16 etc..))

Code: Select all

# localhost
127.0.0.0/24        internal_sender_access

# Inside Networks
192.168.0.0/24       internal_sender_access

# Everything else
0.0.0.0/0           external_sender_access
/etc/postfix/internal_sender_access
with the domains you are serving..

Code: Select all

example.com OK
/etc/postfix/external_sender_access:

Code: Select all

example.com REJECT Bad MAIL FROM: You're not from here!
build the db files, run:

postmap /etc/postfix/network_sender_access
postmap /etc/postfix/internal_sender_access
postmap /etc/postfix/external_sender_access

restart postfix:
service postfix restart

Done.

try it from outside, connect..
telnet mail.example.com 25

220 mail.example.com ESMTP Mail Service Ready
helo mail.somehelo.com
250 efa.example.com
mail from: fake@example.com
250 2.1.0 Ok
rcpt to: user@example.com
554 5.7.1 <fake@example.com>: Sender address rejected: Bad MAIL FROM: You're not from here!


Goodluck,
Zohman.

User avatar
pdwalker
Posts: 1320
Joined: 18 Mar 2015 09:16

Re: spoofed domain emails coming through

Post by pdwalker » 02 Oct 2015 03:03

Useful!

Just remember that you may not want to do this if you have valid mobile users that send mail via an external smtp server. This is my case, so I cannot turn it on. Blerg.

sharktech
Posts: 70
Joined: 14 Jan 2014 14:23

Re: spoofed domain emails coming through

Post by sharktech » 02 Oct 2015 09:41

Perfect Thanks

sharktech
Posts: 70
Joined: 14 Jan 2014 14:23

Re: spoofed domain emails coming through

Post by sharktech » 05 Oct 2015 08:17

Could this be added to the system permanently, the amount of mail im stopping now is huge - over 1000 emails in 1 day

Thanks

zohman
Posts: 42
Joined: 12 Sep 2015 07:36

Re: spoofed domain emails coming through

Post by zohman » 05 Oct 2015 14:08

pdwalker wrote:Useful!

Just remember that you may not want to do this if you have valid mobile users that send mail via an external smtp server. This is my case, so I cannot turn it on. Blerg.
Hi pdwalker,
you should use it all the time in any case!

if you have external smtp server that send behalf of your sender-domain
to the same recipient-domain on EFA, add the IP to the internal_sender_access inside /etc/postfix/network_sender_access list.

Code: Select all

# localhost
127.0.0.0/24        internal_sender_access

# Inside Networks
192.168.0.0/24          internal_sender_access
82.92.223.14             internal_sender_access  	# External SMTP Example
212.111.154.9/27          internal_sender_access             # Pool of External SMTPs Examples

# Everything else
0.0.0.0/0           external_sender_access
sharktech wrote:Could this be added to the system permanently, the amount of mail im stopping now is huge - over 1000 emails in 1 day

Thanks
Great. :D
shawniverson should take a note,
anyway if it wont implemented with the upgrade,
just backup postfix config files for the new system.

Regards,
Zohman.

User avatar
pdwalker
Posts: 1320
Joined: 18 Mar 2015 09:16

Re: spoofed domain emails coming through

Post by pdwalker » 05 Oct 2015 17:53

I would, if I knew in advance every possible smtp server they might use in advance, but for a lot of my mobile users, they have to customize their smtp settings for each country they are in. It's annoying. Also, VPNs are frequently blocked to prevent "backdoor" access to the Internet.

Still a useful tip though.

I wonder how much junk is coming is coming in with spoofed domains on my system anyway? I think I'll check.

zohman
Posts: 42
Joined: 12 Sep 2015 07:36

Re: spoofed domain emails coming through

Post by zohman » 05 Oct 2015 20:02

sharktech wrote:Could this be added to the system permanently, the amount of mail im stopping now is huge - over 1000 emails in 1 day

Thanks
RFC Alert,
OK, there is another thing we need to add.. :)

I notice that EFA wont let bounce messages to get out from Exchange..
after little investigation I saw that Exchange sending those bounces with MAIL FROM: <>
and this is why bounces not taking-off because we close the allowed domains in internal_sender_access
only to example.com so mail from: <> internally is forbidden.

I tried to figure how to change Exchange behavior so it will bounce
the MAIL FROM: envelope as the From: postmaster@example.com header,
on my way to figure it out I found that mail servers are required to support it (RFC 1123 section 5.2.9):

"The syntax shown in RFC-821 for the MAIL FROM: command omits the case
of an empty path: "MAIL FROM: <>" (see RFC-821 Page 15). An empty reverse path MUST be supported
."

It’s used primarily for bounce messages, to prevent an endless loop.
When MAIL FROM is used with an empty address (represented as <>),
the receiving server knows not to generate a bounce message if the message is being sent to a non-existent user.

solution to comply the RFC,
just add "<> ok" in the /etc/postfix/internal_sender_access

Code: Select all

example.com		OK
<>		                OK
Regards,
Zohman.

User avatar
shawniverson
Posts: 3147
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: spoofed domain emails coming through

Post by shawniverson » 05 Oct 2015 21:57

Version eFa 4.0.2 now available!

User avatar
shawniverson
Posts: 3147
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: spoofed domain emails coming through

Post by shawniverson » 05 Oct 2015 21:59

Version eFa 4.0.2 now available!

Post Reply