How-to Prevent external sender spoofing to EFA

Questions and answers about how to do stuff
Post Reply
User avatar
shawniverson
Posts: 3147
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

How-to Prevent external sender spoofing to EFA

Post by shawniverson » 21 Oct 2015 21:11

Original topic is here:

viewtopic.php?f=14&t=1237

Many thanks to zohman for his expertise. This is a slightly modified how-to.

(9/3/16 -- Using SPF/DKIM/DMARC in combination may be more suitable for more complex environments!)

This is a rather important thing to do in postfix to prevent...
from: mydomain.tld
to: mydomain.tld
from getting past postfix into your domain because your domain is in the transport and relay maps.

(plan to integrate this into EFA...see issue https://github.com/E-F-A/v3/issues/215)

Note that you may need to take into consideration other external relaying that you want to allow (i.e. legit mobile users)

Step 1

Add the following to /etc/postfix/main.cf:

Code: Select all

smtpd_restriction_classes = external_sender_access, internal_sender_access
internal_sender_access = check_sender_access hash:/etc/postfix/internal_sender_access, reject
external_sender_access = check_sender_access hash:/etc/postfix/external_sender_access, permit
Step 2

Replace the following in /etc/postfix/main.cf. We are basically tossing out /etc/postfix/sender_access in favor of the internal and external variants above to make it more granular.

Change from:

Code: Select all

smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain
Change to:

Code: Select all

smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, check_client_access cidr:/etc/postfix/network_sender_access
Step 3

Create /etc/postfix/network_sender_access. This selects the appropriate sender access list based on originating ip address.

Example:

Code: Select all

# localhost
127.0.0.0/24        internal_sender_access

# Inside Networks
192.168.0.0/16   internal_sender_access
10.0.0.0/8        internal_sender_access
172.16.0.0/12        internal_sender_access

# Everything else
0.0.0.0/0           external_sender_access
Step 4

Create /etc/postfix/internal_sender_access

Example:

Code: Select all

mydomain1.tld OK
mydomain2.tld OK
mydomain3.tld OK
<> OK
(last line is for RFC-821 for empty reverse path support)

Step 5

Create /etc/postfix/external_sender_access

Example:

Code: Select all

mydomain1.tld REJECT 
mydomain2.tld REJECT 
mydomain3.tld REJECT 
Step 6

Postmap everything to build database files

Code: Select all

sudo postmap /etc/postfix/network_sender_access
sudo postmap /etc/postfix/internal_sender_access
sudo postmap /etc/postfix/external_sender_access
Step 7

Restart postfix

Code: Select all

sudo service postfix restart
Version eFa 4.0.2 now available!

anti-spam
Posts: 40
Joined: 06 Oct 2015 14:32
Contact:

Re: How-to Prevent external sender spoofing to EFA

Post by anti-spam » 22 Oct 2015 11:41

Many thanks for this how to. We applied it and has errors like :

Oct 22 12:43:50 mx2 postfix/smtpd[3429]: NOQUEUE: reject: RCPT from cpanel3.xyz.com[ip.ip.ip.ip]: 554 5.7.1 <cpanel3.xyz.com[ip.ip.ip.ip]>: Client host rejected: Access denied; from=<tester@xyz.com> to=<our@email-address.com> proto=ESMTP helo=<cpanel3.xyz.com>

What we did wrong, was that we used our whole IP range in /etc/postfix/network_sender_access like :

# localhost
127.0.0.0/24 internal_sender_access

# Inside Networks
IP.IP.IP.0/24 internal_sender_access

But, we are a hosting provider, and have some customers with dedicated CPanel shared hostings servers.
All this servers are refused.
Thanks to shawniverson, we found that it's wrong in our case to simply add a ip range.
We deleted the ip range and added ONLY our own CPanel servers, that are under the protection of our EFAs.
Now this howto seems to work like it should. I did the change 1 hour ago, but we receive over 1000 ham emails per hour.
If this is not working like we hope, i will comment this post.
keep the good job shawniverson :clap: :dance:
:arrow: always fighting spams ... :hand:

cowboy6
Posts: 5
Joined: 17 Aug 2016 10:54

Re: How-to Prevent external sender spoofing to EFA

Post by cowboy6 » 22 Feb 2018 13:28

With correct TXT entry inside DNS for your domain (https://www.spfwizard.net/) and enabled SPF checking should be enough to prevent spoofing emails (https://www.howtoforge.com/postfix_spf).

ziain
Posts: 7
Joined: 30 Sep 2017 12:44

Re: How-to Prevent external sender spoofing to EFA

Post by ziain » 27 Sep 2018 09:02

I may be a bit late with this, but when I followed Shawn's instruction above I was unable to receive any emails. I changed the code from:

Code: Select all

smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, check_client_access cidr:/etc/postfix/network_sender_access
to:

Code: Select all

smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access cidr:/etc/postfix/network_sender_access
And mail flowed in ok after that. I don't know if the rules are effective as of yet though.

jogomes
Posts: 20
Joined: 12 Oct 2016 15:59

Re: How-to Prevent external sender spoofing to EFA

Post by jogomes » 31 Aug 2020 11:25

Hello all,

Suffering from a BAD emil spoofing on EFAv4.0.2.

Is this still valid for EFAv4 ?

Thanks in advance.
JG

User avatar
shawniverson
Posts: 3147
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How-to Prevent external sender spoofing to EFA

Post by shawniverson » 31 Aug 2020 12:41

Yes it is, you can do this.
Version eFa 4.0.2 now available!

jogomes
Posts: 20
Joined: 12 Oct 2016 15:59

Re: How-to Prevent external sender spoofing to EFA

Post by jogomes » 31 Aug 2020 15:35

shawniverson wrote:
31 Aug 2020 12:41
Yes it is, you can do this.
Thank you.

But can you help me identify a way or method to stop this type of email's? see code:

Code: Select all

Received: from au02.oncord.com (au02.oncord.com [119.148.70.243])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(no client certificate requested)
by gcfmx01.domain.tld (MailScanner Milter) with SMTP id 4Bd2Vl1qQfz53JJn
for <manuel.pereira@domain.tld>; Fri, 28 Aug 2020 02:45:54 +0100 (WEST)
DMARC-Filter: OpenDMARC Filter v1.3.2 gcfmx01.domain.tld 4Bd2Vl1qQfz53JJn
Authentication-Results: gcfmx01.domain.tld; dmarc=none (p=none dis=none) header.from=eaveswatersystem.com
Authentication-Results: gcfmx01.domain.tld; spf=pass smtp.mailfrom=bill@eaveswatersystem.com
DKIM-Filter: OpenDKIM Filter v2.11.0 gcfmx01.domain.tld 4Bd2Vl1qQfz53JJn
Authentication-Results: gcfmx01.domain.tld;
     dkim=pass (2048-bit key) header.d=eaveswatersystem.com header.i=@eaveswatersystem.com header.b="X88az7Us"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
     d=eaveswatersystem.com; s=default; h=Content-Type:MIME-Version:Subject:To:
     From:Date:Sender:Reply-To:Message-ID:Cc:Content-Transfer-Encoding:Content-ID:
     Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
     :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
     List-Subscribe:List-Post:List-Owner:List-Archive;
     bh=GjxyaJntNJbyypUWWYRvX8CL057VoFoZQiS5C8O8z7Y=; b=X88az7UsMDlAhC1RQ+p8/Pnu3p
     QshRyiJnPplqDL5cqRUxquo3ZDnP3oeFT9l4izAVeEuxx8AQkd6XEUtFoXt+ilEYyJd0vP8xBiCZ+
     uU87dUahsRtpc7ynEHeR/XbHb61LhfRSXXj4nufcCl90A436JHcfKdreoW9vZV1MOJSRRKXQBkf7B
     g6UiLypKoolHqmK1o1cb+/zdRbYaMJdOe8a0iLolON5WdmQyDMTadvI/7YJKcyg8lAsDSto1iLhsK
     TFsDNsAgMixzLbew9C7sGwLzyUvNyA2Sxb2iR7a8eaG3hq5lcEXJFUK/LUbijOLSU6GRX8gBnnsdA
     LtmH1GUQ==;
Received: from static-96-30-98-66.violin.co.th ([96.30.98.66]:59832)
     by au02.oncord.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
     (Exim 4.93)
     (envelope-from <bill@eaveswatersystem.com>)
     id 1kBTSU-000A8e-0s
     for manuel.pereira@domain.tld; Fri, 28 Aug 2020 11:45:43 +1000
Date: Fri, 28 Aug 2020 08:43:00 +0700
From: "Antonio Figueira <antonio.figueira@domain.tld>" <bill@eaveswatersystem.com>
To: "Manuel Moniz Pereira" <manuel.pereira@domain.tld>
Subject: Manuel Moniz Pereira
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--13483385052479636022660443466485103"
X-OutGoing-Spam-Status: No, score=5.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - au02.oncord.com
X-AntiAbuse: Original Domain - domain.tld
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - eaveswatersystem.com
X-Get-Message-Sender-Via: au02.oncord.com: authenticated_id: bill@eaveswatersystem.com
X-Authenticated-Sender: au02.oncord.com: bill@eaveswatersystem.com
This email passed eFa scans using only the "bill@eaveswatersystem.com" email address and not the "antonio.figueira@domain.tld".

But when the user saw it, the displayed email is the internal and not the external one :

Code: Select all

> De: "Antonio Figueira <antonio.figueira@domain.tld>" <bill@eaveswatersystem.com>
> Data: 28 de agosto de 2020, 02:46:04 WEST
> Para: Manuel Moniz Pereira <manuel.pereira@domain.tld>
> Assunto: Manuel Moniz Pereira
>
>  Please see the attached file.
>
>
> Antonio Figueira
> antonio.figueira@domain.tld 
The attached file was a DOC identified by the ClamAV on Zimbra as a Virus but passed the eFa scan...

Well, this seems a pretty elaborated way of spoofing emails, and I wish to figure out a way of stoping it.

Help will be much appreciated.

SFP, DMARC, DKIM, and others are in place but all seem to be failing in stopping this.

Thank you in advance for your support.

User avatar
shawniverson
Posts: 3147
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How-to Prevent external sender spoofing to EFA

Post by shawniverson » 03 Sep 2020 22:11

Clever, clever indeed
From: "Antonio Figueira <antonio.figueira@example.org>" <bill@example.com>
SpamAssassin has a plugin just for this...

https://spamassassin.apache.org/full/3. ... eSpoof.txt

Looks like we better mainline this one into eFa.
Version eFa 4.0.2 now available!

User avatar
shawniverson
Posts: 3147
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How-to Prevent external sender spoofing to EFA

Post by shawniverson » 03 Sep 2020 22:14

Version eFa 4.0.2 now available!

smyers119
Posts: 92
Joined: 29 Nov 2019 11:36

Re: How-to Prevent external sender spoofing to EFA

Post by smyers119 » 10 Sep 2020 14:50

shawniverson wrote:
03 Sep 2020 22:11
Clever, clever indeed
From: "Antonio Figueira <antonio.figueira@example.org>" <bill@example.com>
SpamAssassin has a plugin just for this...

https://spamassassin.apache.org/full/3. ... eSpoof.txt

Looks like we better mainline this one into eFa.
I just tested this and it catches probably 90% ham. You would need to modify it to only check against your own domain with whitelisting ability, for this to really help.

User avatar
shawniverson
Posts: 3147
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How-to Prevent external sender spoofing to EFA

Post by shawniverson » 12 Sep 2020 13:01

Good to know, I'll keep looking into it with the possibility of limiting it as you say.
Version eFa 4.0.2 now available!

jogomes
Posts: 20
Joined: 12 Oct 2016 15:59

Re: How-to Prevent external sender spoofing to EFA

Post by jogomes » 14 Sep 2020 07:20

smyers119 wrote:
10 Sep 2020 14:50
shawniverson wrote:
03 Sep 2020 22:11
Clever, clever indeed
From: "Antonio Figueira <antonio.figueira@example.org>" <bill@example.com>
SpamAssassin has a plugin just for this...

https://spamassassin.apache.org/full/3. ... eSpoof.txt

Looks like we better mainline this one into eFa.
I just tested this and it catches probably 90% ham. You would need to modify it to only check against your own domain with whitelisting ability, for this to really help.
Thank you for your help.
Can you elaborate on the part of:
You would need to modify it to only check against your own domain with whitelisting ability, for this to really help
??
No quite understanding what do you mean with it.
Regards.
JG

Post Reply