1 (edited by mharvester 2024-03-15 21:23:57)

Topic: Check "envelope from" for local domain on transmission

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.2 via installer
- Linux/BSD distribution name and version: Debian 11.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? iRedAdmin-Pro 5.4.1 (LDAP)
====

How to reject messages with local domain in envelope`s "From" (mailfrom) which is received with external "From" (MFrom) in header?

Here is a message header:

Return-Path: <noreply2@enlioxn.com>
Delivered-To: novo@localdomain.com
Received: from mx.localdomain.com (localhost [127.0.0.1])
    by mx.localdomain.com (Postfix) with ESMTP id 4TvnJ81w1fz8tDS
    for <novo@localdomain.com>; Wed, 13 Mar 2024 11:45:48 +0200
X-Virus-Scanned: Debian amavisd-new at mx.localdomain.com
X-Spam-Flag: NO
X-Spam-Score: 3.343
X-Spam-Level: ***
X-Spam-Status: No, score=3.343 tagged_above=-100 required=7
    tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001,
    MIME_HTML_ONLY=0.1, NO_RECEIVED=-0.001, NO_RELAYS=-0.001,
    PDS_FRNOM_TODOM_NAKED_TO=0.001, PDS_FROM_NAME_TO_DOMAIN=0.996,
    TO_NO_BRKTS_HTML_ONLY=1.997, T_KAM_HTML_FONT_INVALID=0.01,
    T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001]
    autolearn=no autolearn_force=no
From: localdomain.com Admin HelpDesk <helpdesk@localdomain.com>
To: novo@localdomain.com
Subject: You Password Has Expired For localdomain.com
Date: 13 Mar 2024 09:45:28 +0000
Message-ID: <20240313064526.0C8C6A3E8515BA3F@localdomain.com>
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

Here is a mail log:

Mar 13 09:45:28 mx postfix/smtpd[680445]: 4Tvgxh0bSPz8t0W: client=unknown[45.81.252.105]
Mar 13 09:45:28 mx postfix/cleanup[676181]: 4Tvgxh0bSPz8t0W: message-id=<20240313064526.0C8C6A3E8515BA3F@localdomain.com>
Mar 13 09:45:28 mx postfix/qmgr[2547]: 4Tvgxh0bSPz8t0W: from=<noreply2@enlioxn.com>, size=4888, nrcpt=2 (queue active)
Mar 13 09:45:28 mx postfix/smtpd[680445]: disconnect from unknown[45.81.252.105] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Mar 13 09:45:28 mx postfix/10025/smtpd[676178]: connect from localhost[127.0.0.1]
Mar 13 09:45:28 mx postfix/10025/smtpd[676178]: 4Tvgxh2gqFz8t1t: client=localhost[127.0.0.1]
Mar 13 09:45:28 mx postfix/cleanup[675947]: 4Tvgxh2gqFz8t1t: message-id=<20240313064526.0C8C6A3E8515BA3F@localdomain.com>
Mar 13 09:45:28 mx postfix/10025/smtpd[676178]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Mar 13 09:45:28 mx postfix/qmgr[2547]: 4Tvgxh2gqFz8t1t: from=<noreply2@enlioxn.com>, size=5398, nrcpt=1 (queue active)
Mar 13 09:45:28 mx amavis[680284]: (680284-16) Passed CLEAN {RelayedInbound}, [45.81.252.105]:43351 [45.81.252.105] ESMTP/ESMTP <noreply2@enlioxn.com> -> <novo@localdomain.com>, (ESMTP://[45.81.252.105]:43351), Queue-ID: 4Tvgxh0bSPz8t0W, Message-ID: <20240313064526.0C8C6A3E8515BA3F@localdomain.com>, mail_id: FPxiIhPik7Dp, b: g7FS0tF17, Hits: 3.343, size: 4697, queued_as: 4Tvgxh2gqFz8t1t, Subject: "You Password Has Expired For @localdomain.com", From: <helpdesk@localdomain.com>, helo=mail0.enlioxn.com, Tests: [HEADER_FROM_DIFFERENT_DOMAINS=0.249,HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.1,NO_RECEIVED=-0.001,NO_RELAYS=-0.001,PDS_FRNOM_TODOM_NAKED_TO=0.001,PDS_FROM_NAME_TO_DOMAIN=0.996,TO_NO_BRKTS_HTML_ONLY=1.997,T_KAM_HTML_FONT_INVALID=0.01,T_SCC_BODY_TEXT_LINE=-0.01,URIBL_BLOCKED=0.001], autolearn=no autolearn_force=no, autolearnscore=3.344, 268 ms
Mar 13 09:45:28 mx postfix/amavis/smtp[682599]: 4Tvgxh0bSPz8t0W: to=<novo@localdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.48, delays=0.21/0/0/0.27, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4Tvgxh2gqFz8t1t)
Mar 13 09:45:28 mx postfix/pipe[678781]: 4Tvgxh2gqFz8t1t: to=<novo@localdomain.com>, relay=dovecot, delay=0.02, delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 13 09:45:28 mx postfix/qmgr[2547]: 4Tvgxh2gqFz8t1t: removed

Local domain`s SPF:

v=spf1 mx -all

Looks like spf checking done not for "envelope`s from" (mailfrom) email, but for Return-Path (mfrom)?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Check "envelope from" for local domain on transmission

We need a milter program to get email headers and check the address.