Thank you for quick responses!
Dominic Raferd's reply was the most helpful and a good how-to :)
Just to summarize, how many From sender spoofing methods are there?
1) envelope-sender (What Viktor said)
2) Header From sender (What Dominic said)
3) Privileged domain in text sender (What Dominic said)
I used
root@othermail:~# mail -s test1 -a "From: us...@mydomain.tld"
us...@mydomain.tld < /dev/null
Which, judging by man mail, spoofs Header From, which was blocked with
"reject_sender_login_mismatch", as Viktor said my spam attacker used
Header sender (Is it the same as spoofing Header From or is it something
else)
How do I test against these all 3 (4?) spoofing methods? Against which
does my method test?
Thanks.
On 08.04.19 18:56, Dominic Raferd wrote:
On Mon, 8 Apr 2019 at 16:22, Ralph Seichter <ab...@monksofcool.net
<mailto:ab...@monksofcool.net>> wrote:
* Janis:
> Should I install amavis? It seems so trivial to block spam which
> pretend to be sent as a spoofed message from oneself but yet I can't
> block it.
Postfix's check_sender_access suffices to block forged envelope (!)
sender addresses:
# pcre:/etc/postfix/sender_access
/\bi(yourdomain|yourotherdomain)\.tld$/ REJECT
That should be combined with only allowing authenticated email via
port
587 (submission).
While this does not prevent somebody forging the "From" header, an
adversary won't be able to forge a DKIM signature for said header.
Regarding forging of 'From' header: using DKIM with an enforced
(p=reject) DMARC policy is a way of tackling this effectively. It has
the advantage that it will also stop most third parties from receiving
fake emails that purport to be sent from your domain(s). But it is a
big hammer.
Alternatively block unauthenticated emails that purport to come from
your domain by using a header_checks test that runs for
unauthenticated emails - by allowing authenticated emails only on
different port(s) (587 and/or 465) and having a different
cleanup_service_name for unauthenticated emails (i.e. emails sent to
port 25). For instance:
/etc/postfix/master.cf <http://master.cf> (extract):
smtp inet n - y - - smtpd
-o cleanup_service_name=cleanup_wild
cleanup_wild unix n - y - 0 cleanup
-o header_checks=pcre:/etc/postfix/check_headers_wild.pcre
/etc/postfix/check_headers_wild.pcre (extract):
if /^From:/
# Fake domain in the actual address e.g. From: Fake Sender
<domi...@mydomain1.tld>
/(mydomain1\.tld|mydomain2\.tld)>?\s*$/ REJECT From header
impersonation (privileged domain in address)
# Fake domain in text preceding the address e.g. From:
domi...@mydomain1.tld <s...@fakesender.tld>
/(mydomain1\.tld|mydomain2\.tld)[>"]*? <.*$/ REJECT From header
impersonation (privileged domain in text)
endif
This will block own mails to mailing lists (such as this when) when
they are repeated back to you (or another using your domain), but this
is unlikely to cause problems in practice.
The second regex blocks a type of fake that you did not mention, but
is seen in the wild.
