Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Prevent internal spoofing in mailserver
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Prevent internal spoofing in mailserver

AndrewL64AndrewL64 Member
edited September 2021 in Help

I have a test mailserver (postfix+dovecot+roundcube) being used by 8 domains. How would I prevent spoofing among the domains since the mailserver is using a single shared ipv4 address?

Comments

  • jarjar Patron Provider, Top Host, Veteran

    I mean you don't usually. Traditionally the client writes the From header. While it's become more popular among ESPs to rewrite the From header to match the authenticated account, that has never become a popular standard on open source mail servers.

  • AndrewL64AndrewL64 Member
    edited September 2021

    @jar said: While it's become more popular among ESPs to rewrite the From header to match the authenticated account, that has never become a popular standard on open source mail servers.

    Any particular reason for this? And what would be a good alternative approach to prevent say, example1.com from sending mail as say, example2.com when both of them have the same IP in their SPF?

  • AndrewL64AndrewL64 Member
    edited September 2021

    *Any particular reason for this not ending up becoming a popular approach?

  • jarjar Patron Provider, Top Host, Veteran
    edited September 2021

    @AndrewL64 said: Any particular reason for this?

    Because most people deploying open source mail servers for their organization don't give out access to untrusted users. Enterprise customers generally aren't using Postfix+Dovecot but instead much more elaborate and expensive setups.

    Personally I police it through fear, intimidation, monitoring, and including an X-Auth-User header. Even just testing to see what you can get away with for potential malicious purpose is likely to result in data loss on my systems, and plenty of bad reviews tell the story.

    And besides, spoofing a From header doesn't ensure the person doing the spoofing will get a reply (can't spoof inbound), and users everywhere should be trained not to click links without inspecting them and knowing whether or not they're trustworthy, because most systems out there accept spoofed email under certain conditions (meaning it could come from another server just as easily as yours, and might get accepted).

    If a recipient can't be trusted to know what's safe and what isn't (and they usually can't), enforcing a From header isn't likely to save them. They'll fall for a misspelled user/domain just the same. And they do, all the time. Spoofing from a trusted mail server, as a trusted user, is the least reasonable way to try to get away with trying to trick a recipient. Sounds like a good way to get fired, really.

    Generally speaking, email is one of the least secure methods of communication as a whole. The ways to abuse it are quite plentiful. Just think about all of those people using MailChannels, for example. All sharing an SPF with each other. And recipients don't care if a message isn't DKIM signed, there's usually no penalty for it. Strong DMARC requirements only protect you at certain recipient hosts and then usually break email forwarding, causing recipients to complain that they didn't get your emails.

    There's no substitute for good old fashioned human monitoring. Script assisted is helpful to scale it up.

    Thanked by 2Tony40 nezam05
Sign In or Register to comment.