1

Topic: Catch all enabled, have illegitimate people trying to use my domain

- iRedMail version: 1.0-beta2 MARIADB edition
- Deployed with  downloadable installer
- Linux/BSD distribution name and version: debian10
- Store mail accounts in MySQL backend
- Web server: Nginx

Hi,

since a few days, I receive some 'mailer daemon' mails, saying that a RANDOM illegitimate user from my domain have a failed attempt to send an email to another host.

How can I prevent anyone to use my domain please ?

illegitimate email sample, my domain is mydomain.tld :

Reporting-MTA: dns; smtp-3-9001.mail.infomaniak.ch
X-Postfix-Queue-ID: 8190610032076
X-Postfix-Sender: rfc822; champ.Zhor@mydomain.tld
Arrival-Date: Thu,  6 Feb 2020 09:47:08 +0100 (CET)

Final-Recipient: rfc822; tvixv189@ameliemelo.be
Original-Recipient: rfc822;tvixv189@ameliemelo.be
Action: failed
Status: 5.1.1
Diagnostic-Code: X-Postfix; unknown user: "tvixv189@ameliemelo.be"
Return-Path: <champ.Zhor@mydomain.tld>
Received: from mydomain.tld (unknown [113.193.61.182])
    by smtp-3-9001.mail.infomaniak.ch (Postfix) with ESMTP id 8190610032076
    for <tvixv189@ameliemelo.be>; Thu,  6 Feb 2020 09:47:08 +0100 (CET)
Authentication-Results: mx.infomaniak.com; dmarc=none (p=none dis=none) header.from=mydomain.tld
Authentication-Results: mx.infomaniak.com; spf=fail smtp.mailfrom=champ.Zhor@mydomain.tld
From: Sasha DISQUES <frustrationsTanithDataGueule@mydomain.tld>
To: "Tvixv" <tvixv189@ameliemelo.be>
Subject: Livraison
MIME-Version: 1.0
List-Unsubscribe: <http://www.tagged.com/no_more.html?unsem=tvixv189%40ameliemelo.be&fid=183D7CFFA2989967&al=1fk-92uf0PpK.1sYjVw.cCiy0>
Sender: Champ Zhor <champ.Zhor@mydomain.tld>
Content-Type: multipart/mixed; boundary="--564f383fffcd73d863d7421070a5bcb08ffaae"
Date: Thu, 06 Feb 2020 10:24:42 +0200
X-Log-Id: 02254845184A323300912688
Message-ID: <10429=ea8e50cf-b7a1-4eb1-a059-7bdc74a11e79=2=611438@links.promoenexclu.eu>
X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8
X-Antivirus-Code: 0x100000
X-Spam-Score: 0
X-Spam-Detail: 

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Catch all enabled, have illegitimate people trying to use my domain

You can't, this is not a mail from your domain, this a forged mail which impersonates your domain, you can't prevent this entirely.

Seems u neither have spf nor dmarc for your domain, this could stop it, but not every email provider checks for those

3

Re: Catch all enabled, have illegitimate people trying to use my domain

@Cthulhu Thanks, that what I toughed.

I have a SPF in my DNS, but DMARC seems a bit complicated at a fisrt glance.

4

Re: Catch all enabled, have illegitimate people trying to use my domain

I cant check it since you altered the domain part, but

Authentication-Results: mx.infomaniak.com; dmarc=none (p=none dis=none) header.from=mydomain.tld
Authentication-Results: mx.infomaniak.com; spf=fail smtp.mailfrom=champ.Zhor@mydomain.tld

seems that both spf and dmarc lookup to your domain failed

5 (edited by CrashXRU 2020-02-07 11:18:21)

Re: Catch all enabled, have illegitimate people trying to use my domain

if your DNS is internal, i.e. local / corporate network users

then you must specify the necessary entries from the hosting provider or domain registrar

do not forget to specify record

- a - hosting provider or domain registrar
- mx - hosting provider or domain registrar
- spf - hosting provider or domain registrar
- dmarc - hosting provider or domain registrar
- dkim - hosting provider or domain registrar

- ptr - internet provider

if you need to specify the same entries inside and out
then this is split dns

in this case records are indicated on the internal DNS
- a
- mx  (only if it is a cluster)


then check their availability for example on mxtoolbox.com

6

Re: Catch all enabled, have illegitimate people trying to use my domain

gilles.quenot wrote:

I have a SPF in my DNS, but DMARC seems a bit complicated at a fisrt glance.

DMARC has 2 parts:

- on sender server side, only a DNS record (_dmarc.<mail-domain-name>) is required. It explicitly tells recipient server which email is sent by the server. SPF and/or DKIM DNS records are also required.
- on recipient server side, a program used to verify sender domain's DMARC record is required. This could be a standalone program like OpenDMARC, or a feature of some milter program like Amavisd.

In your case:

- Make sure you have correct SPF DNS record: FYI: https://docs.iredmail.org/setup.dns.html
- Make sure you have publish DKIM DNS record. (same link above)
- Publish DMARC DNS record. A SAMPLE record:

v=DMARC1; p=reject; adkim=s; aspf=s; sp=none; rua=mailto:user@domain.com; ruf=mailto:user@domain.com

Note: i uses p=reject, adkim=s, aspf=s. Please read RFC document and make sure you clearly understand what the "reject", "s" means, choose the best policy for your domain.

7 (edited by hifall 2020-02-10 11:59:06)

Re: Catch all enabled, have illegitimate people trying to use my domain

Implementing DMARC, DKIM, and SPF isn't as hard as some might think. Having a p=reject DMARC implementation will have spoofed emails rejected with most mailbox service providers.

You can have an initial implementation in 3 steps:
https://dmarcly.com/blog/how-to-set-up- … easy-steps

If you need a comprehensive guide, or a deep dive into DMARC, DKIM, and SPF:
https://dmarcly.com/blog/how-to-impleme … tive-guide