1

Topic: Spoofing with Outlook, Thunderbird, etc

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6
- Linux/BSD distribution name and version: Ubuntu 16
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi!
I can send spoofed email:
1. Via roundcube
1.1. Login in roundcube
1.2. Change FROM address (owner@mydomain.com to spoof@mydomain.com)
1.3. Write email
1.4. When send email, then erro - spoof@mydomain not owned by owner@mydomain.com

2. I configured Outlook(or Thunderbird) - email owner@mydomain.com
2.1 Just change FROM in Outlook to spoof@mydomain.com
2.2 Send email with FROM HEADER = poof@mydomain.com without errors.....


In mail header i can see Authenticated Sender: real-email@mydomain , i tried solve this with /etc/postfix/header_checks:
/^From:/        IGNORE
/.*\(Authenticated sender:(.*@mydomain.com)/   PREPEND From:$1

But sometimes this working wrong and i have many bad addresses in FROM header

How solve this provlem? This is very important

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Spoofing with Outlook, Thunderbird, etc

iRedAPD is a Postfix policy server, it doesn't get mail headers or body, so it doesn't know the "From:" address in mail message. it relies on the data passed by Postfix.
FYI: http://www.postfix.org/SMTPD_POLICY_README.html

You need some Postfix milter program to get mail header and check this for you.