How-to Prevent external sender spoofing to EFA

Questions and answers about how to do stuff
Post Reply
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

How-to Prevent external sender spoofing to EFA

Post by shawniverson »

Original topic is here:

viewtopic.php?f=14&t=1237

Many thanks to zohman for his expertise. This is a slightly modified how-to.

(9/3/16 -- Using SPF/DKIM/DMARC in combination may be more suitable for more complex environments!)

This is a rather important thing to do in postfix to prevent...
from: mydomain.tld
to: mydomain.tld
from getting past postfix into your domain because your domain is in the transport and relay maps.

(plan to integrate this into EFA...see issue https://github.com/E-F-A/v3/issues/215)

Note that you may need to take into consideration other external relaying that you want to allow (i.e. legit mobile users)

Step 1

Add the following to /etc/postfix/main.cf:

Code: Select all

smtpd_restriction_classes = external_sender_access, internal_sender_access
internal_sender_access = check_sender_access hash:/etc/postfix/internal_sender_access, reject
external_sender_access = check_sender_access hash:/etc/postfix/external_sender_access, permit
Step 2

Replace the following in /etc/postfix/main.cf. We are basically tossing out /etc/postfix/sender_access in favor of the internal and external variants above to make it more granular.

Change from:

Code: Select all

smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain
Change to:

Code: Select all

smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, check_client_access cidr:/etc/postfix/network_sender_access
Step 3

Create /etc/postfix/network_sender_access. This selects the appropriate sender access list based on originating ip address.

Example:

Code: Select all

# localhost
127.0.0.0/24        internal_sender_access

# Inside Networks
192.168.0.0/16   internal_sender_access
10.0.0.0/8        internal_sender_access
172.16.0.0/12        internal_sender_access

# Everything else
0.0.0.0/0           external_sender_access
Step 4

Create /etc/postfix/internal_sender_access

Example:

Code: Select all

mydomain1.tld OK
mydomain2.tld OK
mydomain3.tld OK
<> OK
(last line is for RFC-821 for empty reverse path support)

Step 5

Create /etc/postfix/external_sender_access

Example:

Code: Select all

mydomain1.tld REJECT 
mydomain2.tld REJECT 
mydomain3.tld REJECT 
Step 6

Postmap everything to build database files

Code: Select all

sudo postmap /etc/postfix/network_sender_access
sudo postmap /etc/postfix/internal_sender_access
sudo postmap /etc/postfix/external_sender_access
Step 7

Restart postfix

Code: Select all

sudo service postfix restart
anti-spam
Posts: 40
Joined: 06 Oct 2015 14:32
Contact:

Re: How-to Prevent external sender spoofing to EFA

Post by anti-spam »

Many thanks for this how to. We applied it and has errors like :

Oct 22 12:43:50 mx2 postfix/smtpd[3429]: NOQUEUE: reject: RCPT from cpanel3.xyz.com[ip.ip.ip.ip]: 554 5.7.1 <cpanel3.xyz.com[ip.ip.ip.ip]>: Client host rejected: Access denied; from=<tester@xyz.com> to=<our@email-address.com> proto=ESMTP helo=<cpanel3.xyz.com>

What we did wrong, was that we used our whole IP range in /etc/postfix/network_sender_access like :

# localhost
127.0.0.0/24 internal_sender_access

# Inside Networks
IP.IP.IP.0/24 internal_sender_access

But, we are a hosting provider, and have some customers with dedicated CPanel shared hostings servers.
All this servers are refused.
Thanks to shawniverson, we found that it's wrong in our case to simply add a ip range.
We deleted the ip range and added ONLY our own CPanel servers, that are under the protection of our EFAs.
Now this howto seems to work like it should. I did the change 1 hour ago, but we receive over 1000 ham emails per hour.
If this is not working like we hope, i will comment this post.
keep the good job shawniverson :clap: :dance:
:arrow: always fighting spams ... :hand:
cowboy6
Posts: 5
Joined: 17 Aug 2016 10:54

Re: How-to Prevent external sender spoofing to EFA

Post by cowboy6 »

With correct TXT entry inside DNS for your domain (https://www.spfwizard.net/) and enabled SPF checking should be enough to prevent spoofing emails (https://www.howtoforge.com/postfix_spf).
ziain
Posts: 7
Joined: 30 Sep 2017 12:44

Re: How-to Prevent external sender spoofing to EFA

Post by ziain »

I may be a bit late with this, but when I followed Shawn's instruction above I was unable to receive any emails. I changed the code from:

Code: Select all

smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, check_client_access cidr:/etc/postfix/network_sender_access
to:

Code: Select all

smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access cidr:/etc/postfix/network_sender_access
And mail flowed in ok after that. I don't know if the rules are effective as of yet though.
jogomes
Posts: 21
Joined: 12 Oct 2016 15:59

Re: How-to Prevent external sender spoofing to EFA

Post by jogomes »

Hello all,

Suffering from a BAD emil spoofing on EFAv4.0.2.

Is this still valid for EFAv4 ?

Thanks in advance.
JG
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How-to Prevent external sender spoofing to EFA

Post by shawniverson »

Yes it is, you can do this.
jogomes
Posts: 21
Joined: 12 Oct 2016 15:59

Re: How-to Prevent external sender spoofing to EFA

Post by jogomes »

shawniverson wrote: 31 Aug 2020 12:41 Yes it is, you can do this.
Thank you.

But can you help me identify a way or method to stop this type of email's? see code:

Code: Select all

Received: from au02.oncord.com (au02.oncord.com [119.148.70.243])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(no client certificate requested)
by gcfmx01.domain.tld (MailScanner Milter) with SMTP id 4Bd2Vl1qQfz53JJn
for <manuel.pereira@domain.tld>; Fri, 28 Aug 2020 02:45:54 +0100 (WEST)
DMARC-Filter: OpenDMARC Filter v1.3.2 gcfmx01.domain.tld 4Bd2Vl1qQfz53JJn
Authentication-Results: gcfmx01.domain.tld; dmarc=none (p=none dis=none) header.from=eaveswatersystem.com
Authentication-Results: gcfmx01.domain.tld; spf=pass smtp.mailfrom=bill@eaveswatersystem.com
DKIM-Filter: OpenDKIM Filter v2.11.0 gcfmx01.domain.tld 4Bd2Vl1qQfz53JJn
Authentication-Results: gcfmx01.domain.tld;
     dkim=pass (2048-bit key) header.d=eaveswatersystem.com header.i=@eaveswatersystem.com header.b="X88az7Us"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
     d=eaveswatersystem.com; s=default; h=Content-Type:MIME-Version:Subject:To:
     From:Date:Sender:Reply-To:Message-ID:Cc:Content-Transfer-Encoding:Content-ID:
     Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
     :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
     List-Subscribe:List-Post:List-Owner:List-Archive;
     bh=GjxyaJntNJbyypUWWYRvX8CL057VoFoZQiS5C8O8z7Y=; b=X88az7UsMDlAhC1RQ+p8/Pnu3p
     QshRyiJnPplqDL5cqRUxquo3ZDnP3oeFT9l4izAVeEuxx8AQkd6XEUtFoXt+ilEYyJd0vP8xBiCZ+
     uU87dUahsRtpc7ynEHeR/XbHb61LhfRSXXj4nufcCl90A436JHcfKdreoW9vZV1MOJSRRKXQBkf7B
     g6UiLypKoolHqmK1o1cb+/zdRbYaMJdOe8a0iLolON5WdmQyDMTadvI/7YJKcyg8lAsDSto1iLhsK
     TFsDNsAgMixzLbew9C7sGwLzyUvNyA2Sxb2iR7a8eaG3hq5lcEXJFUK/LUbijOLSU6GRX8gBnnsdA
     LtmH1GUQ==;
Received: from static-96-30-98-66.violin.co.th ([96.30.98.66]:59832)
     by au02.oncord.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
     (Exim 4.93)
     (envelope-from <bill@eaveswatersystem.com>)
     id 1kBTSU-000A8e-0s
     for manuel.pereira@domain.tld; Fri, 28 Aug 2020 11:45:43 +1000
Date: Fri, 28 Aug 2020 08:43:00 +0700
From: "Antonio Figueira <antonio.figueira@domain.tld>" <bill@eaveswatersystem.com>
To: "Manuel Moniz Pereira" <manuel.pereira@domain.tld>
Subject: Manuel Moniz Pereira
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--13483385052479636022660443466485103"
X-OutGoing-Spam-Status: No, score=5.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - au02.oncord.com
X-AntiAbuse: Original Domain - domain.tld
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - eaveswatersystem.com
X-Get-Message-Sender-Via: au02.oncord.com: authenticated_id: bill@eaveswatersystem.com
X-Authenticated-Sender: au02.oncord.com: bill@eaveswatersystem.com
This email passed eFa scans using only the "bill@eaveswatersystem.com" email address and not the "antonio.figueira@domain.tld".

But when the user saw it, the displayed email is the internal and not the external one :

Code: Select all

> De: "Antonio Figueira <antonio.figueira@domain.tld>" <bill@eaveswatersystem.com>
> Data: 28 de agosto de 2020, 02:46:04 WEST
> Para: Manuel Moniz Pereira <manuel.pereira@domain.tld>
> Assunto: Manuel Moniz Pereira
>
>  Please see the attached file.
>
>
> Antonio Figueira
> antonio.figueira@domain.tld 
The attached file was a DOC identified by the ClamAV on Zimbra as a Virus but passed the eFa scan...

Well, this seems a pretty elaborated way of spoofing emails, and I wish to figure out a way of stoping it.

Help will be much appreciated.

SFP, DMARC, DKIM, and others are in place but all seem to be failing in stopping this.

Thank you in advance for your support.
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How-to Prevent external sender spoofing to EFA

Post by shawniverson »

Clever, clever indeed
From: "Antonio Figueira <antonio.figueira@example.org>" <bill@example.com>
SpamAssassin has a plugin just for this...

https://spamassassin.apache.org/full/3. ... eSpoof.txt

Looks like we better mainline this one into eFa.
smyers119
Posts: 108
Joined: 29 Nov 2019 11:36

Re: How-to Prevent external sender spoofing to EFA

Post by smyers119 »

shawniverson wrote: 03 Sep 2020 22:11 Clever, clever indeed
From: "Antonio Figueira <antonio.figueira@example.org>" <bill@example.com>
SpamAssassin has a plugin just for this...

https://spamassassin.apache.org/full/3. ... eSpoof.txt

Looks like we better mainline this one into eFa.
I just tested this and it catches probably 90% ham. You would need to modify it to only check against your own domain with whitelisting ability, for this to really help.
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How-to Prevent external sender spoofing to EFA

Post by shawniverson »

Good to know, I'll keep looking into it with the possibility of limiting it as you say.
jogomes
Posts: 21
Joined: 12 Oct 2016 15:59

Re: How-to Prevent external sender spoofing to EFA

Post by jogomes »

smyers119 wrote: 10 Sep 2020 14:50
shawniverson wrote: 03 Sep 2020 22:11 Clever, clever indeed
From: "Antonio Figueira <antonio.figueira@example.org>" <bill@example.com>
SpamAssassin has a plugin just for this...

https://spamassassin.apache.org/full/3. ... eSpoof.txt

Looks like we better mainline this one into eFa.
I just tested this and it catches probably 90% ham. You would need to modify it to only check against your own domain with whitelisting ability, for this to really help.
Thank you for your help.
Can you elaborate on the part of:
You would need to modify it to only check against your own domain with whitelisting ability, for this to really help
??
No quite understanding what do you mean with it.
Regards.
JG
sharktech
Posts: 89
Joined: 14 Jan 2014 14:23

Re: How-to Prevent external sender spoofing to EFA

Post by sharktech »

Do we still need to implement this in V4 for now?

TIA
Thazwick
Posts: 3
Joined: 23 Mar 2018 14:58

Re: How-to Prevent external sender spoofing to EFA

Post by Thazwick »

Hi, Newbie here.

For me I simply added mydomain.com on the blacklist and that seems to do the job... I guess what is being shared here is the solution for more complex environments. :whistle:
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Re: How-to Prevent external sender spoofing to EFA

Post by bostjanc »

Hi!

We have a similiar issue.

OUR ENVIRONMENT:
- We are still on EFA 3.x but we are on a half way to migrate to EFA 4.x (still dealing with DMARC and DKIM implementation/migration, but that's a different topic)
- EFA 3.x is used as PUBLIC SMTP in our enviroment and INTERNAL SMTP is Microsoft Exchange server 2016
- Any devices, webservers in environment uses EFA for outbound messages
- We had to whitelist our domain in EFA, because we had noticed that some webservers were unable to deliver messages to customers, because EFA had blocked them

The bad side of whitelisting our domain was that we got a lot of "spoofing reports" (lately they started to increase), example below:

Postfix SMTP server: errors from unknown[131.221.131.9]
Mail Delivery System <MAILER-DAEMON@our-domain.com>
11:34 AM (10 minutes ago)
to Postmaster

Transcript of session follows.

Out: 220 efa.our-domain.com ESMTP Postfix
In: EHLO 131.221.131.9.megalink.com.br
Out: 250-efa.our-domain.com
Out: 250-PIPELINING
Out: 250-SIZE 37748736
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-AUTH DIGEST-MD5 LOGIN CRAM-MD5 PLAIN
Out: 250-AUTH=DIGEST-MD5 LOGIN CRAM-MD5 PLAIN
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: MAIL From:<javierreillytenebrous@our-domain.com>
Out: 250 2.1.0 Ok
In: RCPT To:<javierreillytenebrous@our-domain.com>
Out: 550 5.1.1 <javierreillytenebrous@our-domain.com>: Recipient address
rejected: User unknown in relay recipient table
In: DATA
Out: 554 5.5.1 Error: no valid recipients

Session aborted, reason: lost connection

For other details, see the local mail logfile


QUESTIONS:
1. So as far as I understood the configuration mentioned in this post can solve the exact same scenario that we have (blockig the spoof on any device that is not in 192.168.x.x network, meaning any external IP)?

2. How come that spoof even happens? I thought that EFA would automatically block spoofed messages when it does a SPF check or am I wrong? (warning: noob question :) )

3. Do we need to implement the same configuration from this post on latest EFA 4.x version or is this something that is already implemented in EFA 4.x latest build?


Thanks for the help and replies.
With best regards
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Re: How-to Prevent external sender spoofing to EFA

Post by bostjanc »

Please respond. With best regards
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Re: How-to Prevent external sender spoofing to EFA

Post by bostjanc »

any luck ?
cordeos
Posts: 13
Joined: 11 Nov 2017 08:49

Re: How-to Prevent external sender spoofing to EFA

Post by cordeos »

The easiest best solution to prevent spoofing in a standard, simple environment is ADD BLACKLIST from @yourdomain to @yourdomain. If you handle multiple domains, add a BLACKLIST entry for each combination which should NEVER pass through your external SMTP gateway.

Internally, all network equipment should send outbound messages through your EXCHANGE system. Setup a send connector with proper config to allow unauthenticated relay - for the single device/host/server IP addresses.

Externally, any systems, webapps, outsourced providers, etc should never be setup to 'fake' send as internal address. This is a recipe for disaster. Instead, set up another similar domain, use a subdomain, or possibly tunnel them into your internal system for SMTP send only.

Its normally not a very good idea to user your SMTP security gateway as an SMTP sending server. It should be designed and enforced for this very specific role, and there are always better options available for sending SMTP.
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: How-to Prevent external sender spoofing to EFA

Post by jamerson »

cordeos wrote: 26 Apr 2021 06:43 The easiest best solution to prevent spoofing in a standard, simple environment is ADD BLACKLIST from @yourdomain to @yourdomain. If you handle multiple domains, add a BLACKLIST entry for each combination which should NEVER pass through your external SMTP gateway.

Internally, all network equipment should send outbound messages through your EXCHANGE system. Setup a send connector with proper config to allow unauthenticated relay - for the single device/host/server IP addresses.

Externally, any systems, webapps, outsourced providers, etc should never be setup to 'fake' send as internal address. This is a recipe for disaster. Instead, set up another similar domain, use a subdomain, or possibly tunnel them into your internal system for SMTP send only.

Its normally not a very good idea to user your SMTP security gateway as an SMTP sending server. It should be designed and enforced for this very specific role, and there are always better options available for sending SMTP.
i like this idea,
can we document this ?
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
Post Reply