Topic: From Spoofing
I decided to test From Spoofing, and simply put nothing is preventing it.
Postfix should stop it but doesn't.
iRedAPD should stop it but doesn't.
Relevant logs:
Mar 10 07:45:36 phoenix postfix/smtpd[5160]: connect from server1.empirevolved.com[142.4.218.56]
Mar 10 07:45:37 phoenix postfix/smtpd[5160]: 6325861A281C: client=server1.empirevolved.com[142.4.218.56]
Mar 10 07:45:38 phoenix postfix/cleanup[5174]: 6325861A281C: message-id=<af0051f646cc87386d0ca477245f1f97@webdevguru.co.uk>
Mar 10 07:45:38 phoenix postfix/qmgr[2083]: 6325861A281C: from=<test@webdevguru.co.uk>, size=1271, nrcpt=1 (queue active)
Mar 10 07:45:38 phoenix postfix/smtpd[5160]: disconnect from server1.empirevolved.com[142.4.218.56]
Mar 10 07:45:39 phoenix postfix/smtpd[5204]: connect from phoenix.webdevguru.co.uk[127.0.0.1]
Mar 10 07:45:39 phoenix postfix/smtpd[5204]: 3426D61A2829: client=phoenix.webdevguru.co.uk[127.0.0.1]
Mar 10 07:45:39 phoenix postfix/cleanup[5174]: 3426D61A2829: message-id=<af0051f646cc87386d0ca477245f1f97@webdevguru.co.uk>
Mar 10 07:45:39 phoenix postfix/smtpd[5204]: disconnect from phoenix.webdevguru.co.uk[127.0.0.1]
Mar 10 07:45:39 phoenix postfix/qmgr[2083]: 3426D61A2829: from=<test@webdevguru.co.uk>, size=2461, nrcpt=1 (queue active)
Mar 10 07:45:39 phoenix amavis[27412]: (27412-02) Passed CLEAN {RelayedInternal}, MYUSERS LOCAL [142.4.218.56]:57371 [142.4.218.56] <test@webdevguru.co.uk> -> <postmaster@webdevguru.co.uk>, Queue-ID: 6325861A281C, Message-ID: <af0051f646cc87386d0ca477245f1f97@webdevguru.co.uk>, mail_id: jdmIcFuAF5Wu, Hits: 0.972, size: 1271, queued_as: 3426D61A2829, dkim_new=dkim:webdevguru.co.uk, 702 ms
Mar 10 07:45:39 phoenix postfix/smtp[5186]: 6325861A281C: to=<postmaster@webdevguru.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.9, delays=1.1/0.01/0/0.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 3426D61A2829)
Mar 10 07:45:39 phoenix postfix/qmgr[2083]: 6325861A281C: removed
Mar 10 07:45:39 phoenix postfix/pipe[5205]: 3426D61A2829: to=<postmaster@webdevguru.co.uk>, relay=dovecot, delay=0.03, delays=0/0/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 10 07:45:39 phoenix postfix/qmgr[2083]: 3426D61A2829: removed
Mar 10 07:47:44 phoenix postfix/smtpd[5932]: connect from server1.empirevolved.com[142.4.218.56]
Mar 10 07:47:44 phoenix postfix/smtpd[5932]: F2F2461A286D: client=server1.empirevolved.com[142.4.218.56]
Mar 10 07:47:46 phoenix postfix/cleanup[5940]: F2F2461A286D: message-id=<8358bc5bf5db97c61b8c65f27282e5fe@webdevguru.co.uk>
Mar 10 07:47:46 phoenix postfix/qmgr[2083]: F2F2461A286D: from=<test@webdevguru.co.uk>, size=1268, nrcpt=1 (queue active)
Mar 10 07:47:46 phoenix postfix/smtpd[5932]: disconnect from server1.empirevolved.com[142.4.218.56]
Mar 10 07:47:46 phoenix postfix/smtpd[5960]: connect from phoenix.webdevguru.co.uk[127.0.0.1]
Mar 10 07:47:46 phoenix postfix/smtpd[5960]: C4D3D61A2870: client=phoenix.webdevguru.co.uk[127.0.0.1]
Mar 10 07:47:46 phoenix postfix/cleanup[5940]: C4D3D61A2870: message-id=<8358bc5bf5db97c61b8c65f27282e5fe@webdevguru.co.uk>
Mar 10 07:47:46 phoenix postfix/smtpd[5960]: disconnect from phoenix.webdevguru.co.uk[127.0.0.1]
Mar 10 07:47:46 phoenix postfix/qmgr[2083]: C4D3D61A2870: from=<test@webdevguru.co.uk>, size=2458, nrcpt=1 (queue active)
Mar 10 07:47:46 phoenix amavis[27414]: (27414-02) Passed CLEAN {RelayedInternal}, MYUSERS LOCAL [142.4.218.56]:57417 [142.4.218.56] <test@webdevguru.co.uk> -> <postmaster@webdevguru.co.uk>, Queue-ID: F2F2461A286D, Message-ID: <8358bc5bf5db97c61b8c65f27282e5fe@webdevguru.co.uk>, mail_id: s1sDzIt6TKsL, Hits: 0.972, size: 1268, queued_as: C4D3D61A2870, dkim_new=dkim:webdevguru.co.uk, 705 ms
Mar 10 07:47:46 phoenix postfix/smtp[5957]: F2F2461A286D: to=<postmaster@webdevguru.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.9, delays=1.2/0.01/0/0.71, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as C4D3D61A2870)
Mar 10 07:47:46 phoenix postfix/qmgr[2083]: F2F2461A286D: removed
Mar 10 07:47:46 phoenix postfix/pipe[5961]: C4D3D61A2870: to=<postmaster@webdevguru.co.uk>, relay=dovecot, delay=0.03, delays=0.01/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 10 07:47:46 phoenix postfix/qmgr[2083]: C4D3D61A2870: removedand
2015-03-10 07:47:44 DEBUG Connect from 127.0.0.1, port 48986.
2015-03-10 07:47:44 DEBUG smtp session: request=smtpd_access_policy
2015-03-10 07:47:44 DEBUG smtp session: protocol_state=RCPT
2015-03-10 07:47:44 DEBUG smtp session: protocol_name=ESMTP
2015-03-10 07:47:44 DEBUG smtp session: client_address=142.4.218.56
2015-03-10 07:47:44 DEBUG smtp session: client_name=server1.empirevolved.com
2015-03-10 07:47:44 DEBUG smtp session: reverse_client_name=server1.empirevolved.com
2015-03-10 07:47:44 DEBUG smtp session: helo_name=server1.empireevolved.com
2015-03-10 07:47:44 DEBUG smtp session: sender=test@webdevguru.co.uk
2015-03-10 07:47:44 DEBUG smtp session: recipient=kkk@nerdypole.co.uk
2015-03-10 07:47:44 DEBUG smtp session: recipient_count=0
2015-03-10 07:47:44 DEBUG smtp session: queue_id=
2015-03-10 07:47:44 DEBUG smtp session: instance=172c.54fea1a0.e6ccc.0
2015-03-10 07:47:44 DEBUG smtp session: size=1049
2015-03-10 07:47:44 DEBUG smtp session: etrn_domain=
2015-03-10 07:47:44 DEBUG smtp session: stress=
2015-03-10 07:47:44 DEBUG smtp session: sasl_method=
2015-03-10 07:47:44 DEBUG smtp session: sasl_username=
2015-03-10 07:47:44 DEBUG smtp session: sasl_sender=
2015-03-10 07:47:44 DEBUG smtp session: ccert_subject=
2015-03-10 07:47:44 DEBUG smtp session: ccert_issuer=
2015-03-10 07:47:44 DEBUG smtp session: ccert_fingerprint=
2015-03-10 07:47:44 DEBUG smtp session: ccert_pubkey_fingerprint=
2015-03-10 07:47:44 DEBUG smtp session: encryption_protocol=TLSv1.2
2015-03-10 07:47:44 DEBUG smtp session: encryption_cipher=AECDH-AES256-SHA
2015-03-10 07:47:44 DEBUG smtp session: encryption_keysize=256
2015-03-10 07:47:44 DEBUG --> Apply plugin: reject_null_sender
2015-03-10 07:47:44 DEBUG <-- Result: DUNNO
2015-03-10 07:47:44 DEBUG --> Apply plugin: reject_sender_login_mismatch
2015-03-10 07:47:44 DEBUG SKIP: No SASL username.
2015-03-10 07:47:44 DEBUG <-- Result: DUNNO
2015-03-10 07:47:44 DEBUG Skip plugin: amavisd_message_size_limit (protocol_state != RCPT)
2015-03-10 07:47:44 DEBUG Creating Amavisd database connection.
2015-03-10 07:47:44 DEBUG Got db cursor.
2015-03-10 07:47:44 DEBUG --> Apply plugin: amavisd_wblist
2015-03-10 07:47:44 DEBUG Possible policy senders: ['@.', 'test@webdevguru.co.uk', '@webdevguru.co.uk', '@.webdevguru.co.uk', '@co.uk', '@.co.uk', '@uk', '@.uk', '142.4.218.56', '142.*.*.56', '142.*.*.*', '142.4.*.56', '142.4.218.*', '*.*.*.56', '*.*.218.56', '*.4.218.56', '142.*.218.56', '142.4.*.*', '*.*.*.*']
2015-03-10 07:47:44 DEBUG Possible policy recipients: ['@.', 'kkk@nerdypole.co.uk', '@nerdypole.co.uk', '@.nerdypole.co.uk', '@co.uk', '@.co.uk', '@uk', '@.uk']
2015-03-10 07:47:44 DEBUG SQL: Get policy senders: SELECT id,priority,email FROM mailaddr WHERE email IN ('@.', 'test@webdevguru.co.uk', '@webdevguru.co.uk', '@.webdevguru.co.uk', '@co.uk', '@.co.uk', '@uk', '@.uk', '142.4.218.56', '142.*.*.56', '142.*.*.*', '142.4.*.56', '142.4.218.*', '*.*.*.56', '*.*.218.56', '*.4.218.56', '142.*.218.56', '142.4.*.*', '*.*.*.*') ORDER BY priority DESC
2015-03-10 07:47:44 DEBUG No senders found in SQL database.
2015-03-10 07:47:44 DEBUG <-- Result: DUNNO
2015-03-10 07:47:44 DEBUG --> Apply plugin: sql_alias_access_policy
2015-03-10 07:47:44 DEBUG SQL: query access policy: SELECT accesspolicy, goto, moderators
FROM alias
WHERE
address='kkk@nerdypole.co.uk'
AND address <> goto
AND active=1
LIMIT 1
2015-03-10 07:47:44 DEBUG SQL: record: None
2015-03-10 07:47:44 DEBUG <-- Result: DUNNO (Not mail alias)
2015-03-10 07:47:44 DEBUG Closed Amavisd database connection.
2015-03-10 07:47:44 INFO [142.4.218.56] test@webdevguru.co.uk -> kkk@nerdypole.co.uk, DUNNO
2015-03-10 07:47:44 DEBUG Session ended
2015-03-10 07:47:44 DEBUG Closed SQL connection.
2015-03-10 07:47:45 DEBUG smtp session: request=smtpd_access_policy
2015-03-10 07:47:45 DEBUG smtp session: protocol_state=END-OF-MESSAGE
2015-03-10 07:47:45 DEBUG smtp session: protocol_name=ESMTP
2015-03-10 07:47:45 DEBUG smtp session: client_address=142.4.218.56
2015-03-10 07:47:45 DEBUG smtp session: client_name=server1.empirevolved.com
2015-03-10 07:47:45 DEBUG smtp session: reverse_client_name=server1.empirevolved.com
2015-03-10 07:47:45 DEBUG smtp session: helo_name=server1.empireevolved.com
2015-03-10 07:47:45 DEBUG smtp session: sender=test@webdevguru.co.uk
2015-03-10 07:47:45 DEBUG smtp session: recipient=kkk@nerdypole.co.uk
2015-03-10 07:47:45 DEBUG smtp session: recipient_count=1
2015-03-10 07:47:45 DEBUG smtp session: queue_id=F2F2461A286D
2015-03-10 07:47:45 DEBUG smtp session: instance=172c.54fea1a0.e6ccc.0
2015-03-10 07:47:45 DEBUG smtp session: size=1049
2015-03-10 07:47:45 DEBUG smtp session: etrn_domain=
2015-03-10 07:47:45 DEBUG smtp session: stress=
2015-03-10 07:47:45 DEBUG smtp session: sasl_method=
2015-03-10 07:47:45 DEBUG smtp session: sasl_username=
2015-03-10 07:47:45 DEBUG smtp session: sasl_sender=
2015-03-10 07:47:45 DEBUG smtp session: ccert_subject=
2015-03-10 07:47:45 DEBUG smtp session: ccert_issuer=
2015-03-10 07:47:45 DEBUG smtp session: ccert_fingerprint=
2015-03-10 07:47:45 DEBUG smtp session: ccert_pubkey_fingerprint=
2015-03-10 07:47:45 DEBUG smtp session: encryption_protocol=TLSv1.2
2015-03-10 07:47:45 DEBUG smtp session: encryption_cipher=AECDH-AES256-SHA
2015-03-10 07:47:45 DEBUG smtp session: encryption_keysize=256
2015-03-10 07:47:45 DEBUG Skip plugin: reject_null_sender (protocol_state != END-OF-MESSAGE)
2015-03-10 07:47:45 DEBUG Skip plugin: reject_sender_login_mismatch (protocol_state != END-OF-MESSAGE)
2015-03-10 07:47:45 DEBUG Creating Amavisd database connection.
2015-03-10 07:47:45 DEBUG Got db cursor.
2015-03-10 07:47:45 DEBUG --> Apply plugin: amavisd_message_size_limit
2015-03-10 07:47:45 DEBUG Message size: 1049
2015-03-10 07:47:45 DEBUG Getting applicable policies
2015-03-10 07:47:45 DEBUG Valid policy accounts for recipient kkk@nerdypole.co.uk: 'kkk@nerdypole.co.uk', '@nerdypole.co.uk', '@.nerdypole.co.uk', '@.'
2015-03-10 07:47:45 DEBUG SELECT policy_name,message_size_limit
FROM users, policy
WHERE
(users.policy_id=policy.id)
AND (users.email IN ('kkk@nerdypole.co.uk', '@nerdypole.co.uk', '@.nerdypole.co.uk', '@.'))
ORDER BY users.priority DESC
2015-03-10 07:47:45 DEBUG No policy found.
2015-03-10 07:47:45 DEBUG <-- Result: DUNNO
2015-03-10 07:47:45 DEBUG Skip plugin: amavisd_wblist (protocol_state != END-OF-MESSAGE)
2015-03-10 07:47:45 DEBUG Skip plugin: sql_alias_access_policy (protocol_state != END-OF-MESSAGE)
2015-03-10 07:47:45 DEBUG Closed Amavisd database connection.
2015-03-10 07:47:45 INFO [142.4.218.56] test@webdevguru.co.uk -> kkk@nerdypole.co.uk, DUNNO
2015-03-10 07:47:45 DEBUG Session ended
2015-03-10 07:47:45 DEBUG Closed SQL connection.All incoming mail which claims to be from one of the virtual domains on the server should be marked as SPAM or even rejected.
If postfix didn't prevent it then SpamAssassin/ClamD/Amavis's SPF/DKIM Checks should fail on it anyway, but they don't
Headers of received e-mail:
Return-Path: <test@webdevguru.co.uk>
Delivered-To: postmaster@webdevguru.co.uk
Received: from phoenix.webdevguru.co.uk (phoenix.webdevguru.co.uk [127.0.0.1])
by phoenix.webdevguru.co.uk (Postfix) with ESMTP id 0522D61A2A45
for <postmaster@webdevguru.co.uk>; Tue, 10 Mar 2015 08:50:40 +0000 (GMT)
Authentication-Results: phoenix.webdevguru.co.uk (amavisd-new);
dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
header.d=webdevguru.co.uk
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=webdevguru.co.uk;
h=user-agent:message-id:subject:subject:to:from:from:date:date
:content-transfer-encoding:content-type:content-type
:mime-version; s=dkim; t=1425977439; x=1426841440; bh=ibR1jo+3XQ
XcqE+RsRqziC3VDJb1zV4gV4ldJqQrbUw=; b=ojFqyNAAXhHwGCwL2SUlr6oXPv
sV3uqXpqeMbZS9IGRqQ6ZzewsnHCHgkD/0KqeHe+zGrcjlsUmF21RAFshpJ51IBL
FzSHdY3kG4McyP+ZEC4OvzAoVZ517YEiVJSXumtpf4xVz4ysAmZTgWTzSGzs0N+r
VHGGg9RYu7ahEhgaQ=
X-Virus-Scanned: Debian amavisd-new at phoenix.webdevguru.co.uk
Received: from phoenix.webdevguru.co.uk ([127.0.0.1])
by phoenix.webdevguru.co.uk (phoenix.webdevguru.co.uk [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id LhnPxmGURtoZ for <postmaster@webdevguru.co.uk>;
Tue, 10 Mar 2015 08:50:39 +0000 (GMT)
Received: from server1.empireevolved.com (server1.empirevolved.com [142.4.218.56])
by phoenix.webdevguru.co.uk (Postfix) with ESMTPS id 72EC961A2A42
for <postmaster@nerdypole.co.uk>; Tue, 10 Mar 2015 08:50:38 +0000 (GMT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by server1.empireevolved.com (Postfix) with ESMTP id 953A7E0A27
for <postmaster@nerdypole.co.uk>; Tue, 10 Mar 2015 04:52:46 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at server1
Received: from server1.empireevolved.com ([127.0.0.1])
by localhost (server1.empireevolved.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id hhxEipgQfK7L for <postmaster@nerdypole.co.uk>;
Tue, 10 Mar 2015 04:52:46 -0400 (EDT)
Received: from private.empireevolved.com (localhost.localdomain [127.0.0.1])
by server1.empireevolved.com (Postfix) with ESMTPSA id 3FE4DE07AB
for <postmaster@nerdypole.co.uk>; Tue, 10 Mar 2015 04:52:42 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
format=flowed
Content-Transfer-Encoding: 7bit
Date: Tue, 10 Mar 2015 08:52:42 +0000
From: test@webdevguru.co.uk
To: postmaster@nerdypole.co.uk
Subject: MeowH
Message-ID: <b36dec205a2f126458d51e1189aed45e@webdevguru.co.uk>
X-Sender: test@webdevguru.co.uk
User-Agent: Roundcube WebmailThe Incoming e-mail also seems to be getting DKIM Signed by my server, or I'm misunderstanding the Headers. The same doesn't happen for incoming e-mails from non-spoofed domains. The remote server is iRedMail and not set up to DKIM sign on the spoofed domain.
Return-Path: <7t3chguy@gmail.com>
Delivered-To: postmaster@webdevguru.co.uk
Received: from phoenix.webdevguru.co.uk (phoenix.webdevguru.co.uk [127.0.0.1])
by phoenix.webdevguru.co.uk (Postfix) with ESMTP id 09ADF61A1017
for <postmaster@webdevguru.co.uk>; Tue, 10 Mar 2015 09:09:11 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at phoenix.webdevguru.co.uk
Authentication-Results: phoenix.webdevguru.co.uk (amavisd-new);
dkim=pass (2048-bit key) header.d=gmail.com
Received: from phoenix.webdevguru.co.uk ([127.0.0.1])
by phoenix.webdevguru.co.uk (phoenix.webdevguru.co.uk [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id OYh89UJtJN_1 for <postmaster@webdevguru.co.uk>;
Tue, 10 Mar 2015 09:09:10 +0000 (GMT)
Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182])
by phoenix.webdevguru.co.uk (Postfix) with ESMTPS id 2218161A0289
for <ploy@nerdypole.co.uk>; Tue, 10 Mar 2015 09:09:09 +0000 (GMT)
Received: by wesx3 with SMTP id x3so252899wes.4
for <ploy@nerdypole.co.uk>; Tue, 10 Mar 2015 02:09:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to:content-type;
bh=+7JyDYRQuVxMtb8BYlDCuWhTnZmJpZbv1OfdnLFsXQQ=;
b=hgdz95ke5JYXik9t6aNV6C+MYWbGnh4+4PcV3P1o76XFd615/CTFjdCeJvZNSgs3cG
GBlHsaaGUxpcB2GsLV88AckHRou5vwvQFLePsgj+MOrgexIZqj7DVBo9Uqxtp4ZnsWxX
hkO2RPi02amw8aRxCl9xyRBgBcpn/CaogdJJ8jun6xGq3Ksu1YnbOJ2/a7ECEIShIqV5
AZYbEN7C5TEhptHFt+pLfor7VrEwECQXUR0eC7MFSk01oiiZRI4zMqFcGfXU1jDDrZrp
RZAAd4HhuUssqG1fVOgxPanjqqMFDwxKX8ao2iiUG9fPnTRR/VVJVwdWbBMfvJjhKkN9
IcbQ==
MIME-Version: 1.0
X-Received: by 10.194.19.10 with SMTP id a10mr67421483wje.153.1425978548811;
Tue, 10 Mar 2015 02:09:08 -0700 (PDT)
Received: by 10.27.48.206 with HTTP; Tue, 10 Mar 2015 02:09:08 -0700 (PDT)
Date: Tue, 10 Mar 2015 09:09:08 +0000
Message-ID: <CADSzNCY8PXWG6WGQsmN=8WiR7-bftfq4VWjnLoxRb_cavjzEDQ@mail.gmail.com>
Subject: Ehlo
From: Michael Telatynski <7t3chguy@gmail.com>
To: ploy@nerdypole.co.uk
Content-Type: multipart/alternative; boundary=047d7b5d4808dbfb7e0510eb80c7----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.