Re: Blocking spammers who spoof From: addresses from my domain
On Mon, 13 Aug 2018 at 06:52, Matthias Fechner wrote: > Am 13.08.2018 um 01:29 schrieb Stuart Longland: > > We have a problem where some smart-arse spammers/phishers are spoofing > > the From address, specifying our domain as their from address. In one > > case, the person in question uses my personal address in the From, To > > and Return-Path. In others, they pretend to be a scanner sending a > > supposedly "scanned document". > > setup SPF, there you can define which host is allowed to send emails > from your domain. > The check will be done on the mailserver receiving the "faked" emails. > SPF used on its own as a blocking mechanism works on the envelope sender not the header.from. To block fake senders which use your domain as header.from you should use DMARC, specifying DKIM (and SPF) and using p=reject. Not only will this stop people sending emails purporting to be from you to *your* server but it will largely prevent them from sending them to *anyone else*. This depends on your server and others testing incoming mail for DMARC compliance - but all the major email providers do this. It will also block emails that fake your domain as the envelope sender (Return-Address). The only disadvantages are that it takes a little setting up, and that you can't then use such a domain for posts to mailing lists. As for the text part of the header.from, once you have DMARC covering the other bases you can tackle it with header_checks even though all emails go through it, even those from your legitimate domain senders. The example below is an extract from a header_checks file which attempts to block not only attempts to fake your email address but also your name; it uses pcre syntax not regex, note that the 'if' clauses are nested but unfortunately indenting for the purpose of clarity is not (I think) permitted in pcre files: if /^From:/ # emails with the mail name part of header.from set to your domain(s) will pass here skipping the rest of the tests # faked instances of such can be blocked by opendmarc if your domain has DMARC with p=reject, but not here /(yourdomain1\.tld|yourdomain2\.tld)>?$/ DUNNO # block emails which use your domain as the last part of the text in header.from e.g. "From: y...@yourdomain.tld " /^(.*yourdomain1\.tld|yourdomain2\.tld"? <.*)$/ REJECT message content impersonation # inspect emails that use your real name in the text - expand this to work with other names as required: if /^From: ?(S(tuart)? Longland)/ # allow other legitimate email addresses that you use, also from apple and (ubuntu) launchpad if !/(yourexternaladdress@anotherdomain \.tld|@bugs\.launchpad\.net|noreply@email\.apple\.com)>?$/ # and allow if 'via ' e.g. via Dropbox - otherwise block mails !/via / REJECT message content impersonation endif endif endif If you are absolutely set against using DMARC then there is probably a way of blocking faked header.from addresses with a SpamAssassin multi-header test.
Re: Blocking spammers who spoof From: addresses from my domain
On 12 Aug 2018, at 17:29, Stuart Longland wrote: > We have a problem where some smart-arse spammers/phishers are spoofing > the From address, specifying our domain as their from address. In one > case, the person in question uses my personal address in the From, To > and Return-Path. In others, they pretend to be a scanner sending a > supposedly "scanned document". Don’t accept mail from local users coming from a foreign server? That’s what I do. -- 99 percent of lawyers give the rest a bad name.
Re: Blocking spammers who spoof From: addresses from my domain
On Mon, Aug 13, 2018 at 05:19:18AM -0600, @lbutlr wrote: > On 12 Aug 2018, at 17:29, Stuart Longland wrote: > > We have a problem where some smart-arse spammers/phishers are spoofing > > the From address, specifying our domain as their from address. In one > > case, the person in question uses my personal address in the From, To > > and Return-Path. In others, they pretend to be a scanner sending a > > supposedly "scanned document". > > Don’t accept mail from local users coming from a foreign server? > That’s what I do. Header vs. envelope. You should know that. A mail with your e-mail in the From header comes from the mailing list. Bastian -- All your people must learn before you can reach for the stars. -- Kirk, "The Gamesters of Triskelion", stardate 3259.2
Re: Blocking spammers who spoof From: addresses from my domain
On Mon, 13 Aug 2018 at 12:20, @lbutlr wrote: > On 12 Aug 2018, at 17:29, Stuart Longland > wrote: > > We have a problem where some smart-arse spammers/phishers are spoofing > > the From address, specifying our domain as their from address. In one > > case, the person in question uses my personal address in the From, To > > and Return-Path. In others, they pretend to be a scanner sending a > > supposedly "scanned document". > > Don’t accept mail from local users coming from a foreign server? > > That’s what I do. > Can that work for the mail address in the header.from? Is it possible to have different header_checks depending on whether or not the mail is authenticated/local or not (I know this is possible for smtpd_restrictions_lists) e.g. like this - assuming all 'outgoing' mail is either authenticated or local: /etc/postfix/master.cf: smtp inet n - y - - smtpd -o header_checks=$header_checks_wild /etc/postfix/main.cf: # default for emails coming in on ports other than 25, or via pickup: header_checks = # but for emails arriving via port 25: header_checks_wild = pcre:/etc/postfix/check_headers_wild.pcre
Re: Blocking spammers who spoof From: addresses from my domain
Bastian Blank skrev den 2018-08-13 14:28: Header vs. envelope. You should know that. spf breaks maillinglists :=) sender-id breaks, but is depricated with dkim A mail with your e-mail in the From header comes from the mailing list. i wish it was correct, maillinglists that take ownerships make more harm then good openarc is basicly just being so that is valid to break dkim :( sadly
Re: Timed out while sending end of data -- message may be sent more than once
On 12.08.18 20:50, Thomas Kristensen wrote: Subject: Timed out while sending end of data -- message may be sent more than once I got this strange problem with postfix 3.1.0. I got this one server that doesn't get all the mails, queued for it. Some mails gets the error in subject. And if I do a tcpdump on the tcp stream I see this everytime: [...] As you can see the stream stops before the last mimepart is done. This is captured with tcpdump on the server with postfix 3.1.0 This is only a problem with about 5-10% of the delivers to this one host. We got about 40-5 messages in and out, to many servers, everyday and only see this problem with one host we try to deliver to. the host may have problem, or just scans the mail for too long. Is the smtp_data_done_timeout default 600s? what are the timestamps in the tcpdump? does the timeout happen after those 600 seconds? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
Re: Timed out while sending end of data -- message may be sent more than once
On 12 Aug 2018, at 16:50, Thomas Kristensen wrote: Hey I got this strange problem with postfix 3.1.0. I got this one server that doesn't get all the mails, queued for it. Some mails gets the error in subject. And if I do a tcpdump on the tcp stream I see this everytime: (the content has been wiped for some information) [...] boundary_274246_f400b577-4e93-4ffd-b5ec-355c7a0b5059 Content-Type: application . As you can see the stream stops before the last mimepart is done. Which *should not* make any difference, since the terminating .CRLF> is present. Unfortunately, the bogus Content-Type and unterminated MIME part may be the cause. This is captured with tcpdump on the server with postfix 3.1.0 We use SMTP protocol to transport small files, so the body of the mail is not importen but the attachment is the actual message we want to transport. This is only a problem with about 5-10% of the delivers to this one host. We got about 40-5 messages in and out, to many servers, everyday and only see this problem with one host we try to deliver to. So, the receiving host is broken. It is not answering the submitted data for over 10 minutes (unless you've shortened the smtp_data_done_timeout value? Don't do that...) so presumably it is doing some sort of content filtering or delivery procedure which is hanging. A badly-designed content filter or heavyweight delivery agent (e.g. Exchange) could make the mistake of demanding that MIME parts have parseable headers and/or non-null bodies and/or closing boundaries before they accept them as complete and process them, ignoring the fact that a misconstructed message like this one might be sent and terminated correctly at the SMTP level with the last part being a useless stub as shown. If I do a postqueue -I on the queueid It still fails, but if I make the sender resend it, so it is a whole new message in postfix, it goes fine without problems. So the question is, why does some of the mails fail on the server, with no option to requeue them? You would probably need to provide postconf -n output and logging of all activity regarding a particular message to get a useful answer to that.
Postfix and getmail, how to tell postfix to receive only specific adresses of a virtual domain?
Postfix 3.3.0, on OpenSuse 15.0 Hi to all, my first post, as a list newbie :-) I'm using postfix, along with dovecot, for about two years now, on my VPS. virtual_mailbox_domains for virtual domains of recipients, virtual_mailbox_maps for recipient's addresses. Both stored in MariaDB/MySql. Works fine. Starting a while ago, I've added getmail, for syncing my email accounts at commercial ISPs (like the sender address of this email, michae...@rocketmail.com, a yahoo account) to my own VPS. The getmail part itself also works fine and stable. But I recognized an ugly self-made side effect today, for the first time: Let's say my VPS' domain is EXAMPLE.COM, as written above used as a postfix virtual domain. So one of my private email addresses would be mich...@example.com. To get my postfix server to accept both "direct" emails (for mich...@example.com) and "getmail-ed" emails (for michae...@rocketmail.com), I've currently added "rocketmail.com" as (postfix) "virtual domain". As said, works fine for receiving "getmail-ed" mails. BUT, today I wanted via Thunderbird to send an email from sender mich...@example.com to someone_e...@rocketmail.com. And Thunderbird immediately shows me the postfix error msg "5.1.1 / Recipient address rejected. User unknown in virtual mailbox table". So it seems that currently my postfix server, listening secured (on port 587) for relaying my emails, "remembers" that he's also listening unsecured (on port 25) to receive emails for "virtual domain" rocketmail.com. Any hints how to tell postfix that he shouldn't try to catch all emails for a virtual domain, but only the ones for existing (getmail) virtual users, defined in virtual_mailbox_maps? (Of course) I've searched the net and esp. this mailing list's archives before subscribing and posting, found this old answer https://marc.info/?l=postfix-users&m=118760792501033. Which might lead into the right direction, also for my issue, but I'm not sure. Regards, Michael
Re: Postfix and getmail, how to tell postfix to receive only specific adresses of a virtual domain?
There is no need to list your mail provider domain names in Postfix. That just results in unecessary 'user unknown' errors. Instead, use virtual_alias_maps (NOT: virtual_alias_domains) mapping of: user1@emailprovider1.exampleyou@really-local-domain user2@emailprovider2.exampleyou@really-local-domain user3@emailprovider3.exampleother@really-local-domain Where only really-local-domain delivers to dovecot. No mail provider domain names in virtual_alias_domains. No mail provider domain names in virtual_mailbox_domains. No mail provider domain names in mydestination. You can even even reverse the virtual_alias_mapping with smtp_generic_maps, depending on who you are sending email to. That is a longer story. I can provide that if you are interested. Wietse
Could somebody check my Postscreen setup?
Hi all, I'm trying out Postscreen after having used Postgrey for some time. The reason for the switch is that Postgrey can cause emails from Google etc. to take a long time to come through due to the large number of IP addresses they use (and I don't want to whitelist the GMail addresses). Here's the changes I've made, they're all default from the manual, and I include the Postscreen logs, I was expecting more, but had been receiving emails from the same GMail address so it was possibly already whitelisted. Note: These are only the changes I've made. master.cf smtp inet n - n - 1 postscreen smtpd pass - - n - - smtpd dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy main.cf postscreen_access_list = permit_mynetworks postscreen_dnsbl_threshold = 2 postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 b.barracudacentral.org*1 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce Logs Aug 13 21:24:10 kepler postfix/postscreen[12013]: CONNECT from [2a00:1450:4864:20::529]:38530 to [2001:41d0:2:25a6:2::1]:25 Aug 13 21:24:16 kepler postfix/postscreen[12013]: PASS NEW [2a00:1450:4864:20::529]:38530 Thanks for looking
Re: Postfix and getmail, how to tell postfix to receive only specific adresses of a virtual domain?
Wietse, let me first thank you for your answer. A great honour for me, getting my first post answered by the inventor of postfix itself. So let me take the chance and thank you for postfix, overall :-) Your answer led me in the right direction "No mail provider domain names in ..." In fact my specific solution was pretty simple: Just deleting the virtual domains only added for my getmail-ed accounts. I even don't need virtual_alias_maps entries, as my recipient addresses (and their mailboxes) are (still) "user1@emailprovider1.example", e.g. michae...@rocketmail.com. Was my intention not to collect mails into you@really-local-domain, but within own mailboxes. Has IMHO the charm, that I can use dedicated Thunderbird (or any MUA) accounts, incoming (IMAP) pointing to my VPS, outgoing (SMTP) pointing to "real" mail provider. So thank you very much again, Michael Am 13.08.2018 um 19:50 schrieb Wietse Venema: > There is no need to list your mail provider domain names in Postfix. > That just results in unecessary 'user unknown' errors. > > Instead, use virtual_alias_maps (NOT: virtual_alias_domains) > mapping of: > > user1@emailprovider1.example you@really-local-domain > user2@emailprovider2.example you@really-local-domain > user3@emailprovider3.example other@really-local-domain > > Where only really-local-domain delivers to dovecot. > > No mail provider domain names in virtual_alias_domains. > No mail provider domain names in virtual_mailbox_domains. > No mail provider domain names in mydestination. > > You can even even reverse the virtual_alias_mapping with > smtp_generic_maps, depending on who you are sending email to. > That is a longer story. I can provide that if you are interested. > > Wietse >
Re: Blocking spammers who spoof From: addresses from my domain
On 8/13/18 9:31 AM, Benny Pedersen wrote: > Bastian Blank skrev den 2018-08-13 14:28: > >> Header vs. envelope. You should know that. > > spf breaks maillinglists :=) Wrong, basic SPF checks the ENVELOPE From, which a good mailinglist will point to itself. It is only DMARC-SPF that forces it to use the Header From: -- Richard Damon
"Recipient address rejected: User unknown in virtual mailbox table" and mydomain conf line
Hi people! I have a problem with sending emails and I of course try dig. The problem in logs: Aug 14 07:13:30 s1 postfix/smtpd[8804]: NOQUEUE: filter: RCPT from ip6-localhost[127.0.0.1]: : Sender address triggers FILTER amavis:[127.0.0.1]:10026; from= to= proto=ESMTP helo= Aug 14 07:13:30 s1 postfix/smtpd[8804]: NOQUEUE: reject: RCPT from ip6-localhost[127.0.0.1]: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table; from=< mar...@amconsulting360.com> to= proto=ESMTP helo=< s1.poliman.net> Remote address marc...@colonel.com.pl is enabled and work (this domain is bought on google.com). I can send emails from mar...@amconsulting360.com which is configured on my server to whatever domain (hosted on gmail/google etc, on another domains from my server etc) but when I try send to marc...@colonel.com.pl I have above error in logs. At the end maybe one more valuable information. Domain colonel.com.pl is hosted on my server but MX for this domain is served by google MX. Executing "postconf | grep mydomain" gives the output: append_dot_mydomain = no mydomain = poliman.net but in main.cf are: myhostname = s1.poliman.net mydestination = s1.poliman.net, localhost, localhost.localdomain 1. I can't find neither main.cf nor master.cf line with "mydomain" word. In main.cf is only "append_dot_mydomain". 2. Should I change mydomain to s1.poliman.net? If I should, how to do it? Hostname fqdn of the server is s1.poliman.net and in main.cf are also lines with this name as you can see above. I use Postfix "mail_version = 3.1.0". Could anybody help me? -- *Pozdrawiam / Best Regards* *Piotr Bracha*
