OK, I admit to being dumb. I got another scam email yesterday of the same formulation as the earlier ones (mail From: me@mydomain, To: me@mydomain) attempting to extort bitcoin from me.
How? What had I missed this time?
Well, this was slightly different. Checking the mail headers (and my logs) showed that the email had a valid “Sender” address (some bozo calling themselves “email@example.com”) so my earlier “check_sender_access” test would obviously have allowed the email to pass. But what I hadn’t considered was that the sender might then spoof the From: address in the data portion of the email (which is trivially easy to do).
Dumb, so dumb. So what to do to stop this?
Postfix allows for quite a lot of further directives to manage senders through the smtpd_sender_restrictions and mine were still not tight enough to stop this form of abuse. One additional check is offered by the reject_sender_login_mismatch directive which will:
“Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn’t own the MAIL FROM address according to $smtpd_sender_login_maps.”
Now since I store all my user details in a mysql database called “virtual_mailbox_maps” it is simple enough to tell postfix to use that database as the “smtpd_sender_login_map” and check the “From” address against that, That way only locally authenticated valid users can specify a local “From:” address. Why I missed that check is just beyond me.
My postfix configuration now includes the following:
smtpd_sender_login_maps = $virtual_mailbox_maps
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unauthenticated_sender_login_mismatch, check_sender_access hash:/etc/postfix/localdomains
(Note that I chose to use the “reject_unauthenticated_sender_login_mismatch” rather than the wider “reject_sender_login_mismatch” because I only care about outside unauthenticated senders abusing my system. I can deal with authenticated users differently…)
Now let’s see what happens.
How would this affect mailing lists?
i.e. If you were to send newsletters from Mail Chimp or Constant Contact, and the “from” address on that newsletter is your domain. If I’m understanding this parameter correctly, then if ‘reject_sender_login_mismatch’ is enabled, then those newsletter emails would be blocked.
I considered this point before I made the change because I am a member of several mailing lists (tor-relays, tor-talk, alug, etc.) and I didn’t want mail to be rejected. Fortunately, well run mail lists using decent software (such as mailman) always send mail to list members from the list itself rather than just relaying the mail out unchanged. So for example, I get email from the anglia linux user group with the sender set as “firstname.lastname@example.org”. Thus postfix sees the connection from the external server with a valid external sender address. See for example this recent exchange:
(I have edited the IP address and my email address to protect the innocent.)