On 3/3/2010 11:12 AM, Ansgar Wiechers wrote:
On 2010-03-03 Joshua Kordani wrote:
Hello all! I have recently come across a few spams that I am trying
to block. The anatomy of the message probably isn't new to most of
you, but when I try to recreate the spoofed sections that I wish to
filter by hand over telnet, its clear that I am not understanding how
the messages are being built. Example to follow below:
note the from line is spoofed to be wo...@mydomain.com,
i...@spamdomain.com, senten...@spamdomain.com. Which appears to my
users as coming from a user in my domain. Id like to filter against
this, but when I go into telnet and try to make a mail with a from
field so deformed, my mail server spits back "I can break things too"
and quits my connection. How can I manually recreate this spoof so
that I can learn how to filter it out?
Please be more precise/verbose about what you were actually trying. For
instance: it's not clear to me if you're talking about the From: header
or the envelope-from above.
Also, did you follow the procedures described in the DEBUG_README?
http://www.postfix.org/DEBUG_README.html
Regards
Ansgar Wiechers
Thank you for your response Ansgar.
Since I am pretty sure that my problem doesn't stem from a critical
misconfiguration of the environment postfix runs in, and I have had this
system running trouble free for the past two years, I think that my
problem involves my limited understanding of how this mail is put
together, and that I do not have a complete grasp of postfix
configuration. For reference, I was responsible for tying postfix to
cyrus together, and tying imap/pop and smtp auth to ldap sytle auth
against a windows active directory, along with configuring ssl/tls and
starttls. I've never had much experience as a mail admin, outside from
my understanding about how our system is set up, and because
postfix/cyrus/linux all "just work" I don't have a constantly current
understanding of postfix internals due to the system needing barely any
attention.
Thank you for pointing me at that page. I will use it to make more
focused questions. My ultimate goal is to protect my users from mail
that appears to be from a legitimate person in my domain. Since I don't
know how this From field is being generated, I don't know if I need to
set up some sort of smtpd sender restrictions, or if I need to filter
out envelope-from strings to somehow check for spoofing. I don't really
know what to ask here, other than to show you what I've tried.
postconf -n :
alias_maps = hash:/etc/postfix/aliases
ldap:/etc/postfix/ldap-aliases-employees.cf
ldap:/etc/postfix/ldap-aliases-admins.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-avgd:[127.0.0.1]:55555
daemon_directory = /usr/libexec/postfix
html_directory = no
mail_owner = postfix
mail_spool_directory = /var/mail/
mailbox_size_limit = 104857600
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 52428800
mydestination = $mydomain, $myhostname
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
receive_override_options = no_address_mappings
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_data_restrictions = reject_multi_recipient_bounce
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_pipelining,
permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination, check_recipient_access
hash:/etc/postfix/roleaccount_exceptions, reject_non_fqdn_hostname,
reject_invalid_hostname, check_client_access
hash:/etc/postfix/whitelist check_helo_access pcre:/etc/postfix/helo_checks
check_sender_mx_access cidr:/etc/postfix/bogus_mx reject_rbl_client
bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client
b.barracudacentral.org, reject_rbl_client dnsbl.sorbs.net
warn_if_reject reject_rhsbl_sender dsn.rfc-ignorant.org permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
smtpd_tls_CAfile = /var/imap/server.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /var/imap/server.pem
smtpd_tls_key_file = /var/imap/server.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
