3

structural description

  • Server A runs postfix and acts as smarthost for server B (also running postfix), reject_authenticated_sender_login_mismatch is set and works (almost) as expected, see below
  • Client C's MUA sends mails via Server A
  • B and C both connect via submission port and authentificate with STARTTLS

what happens when trying to forge sender

  • Setting an arbitrary FROM: header by changing the sender address in thunderbird or adding a new identity in roundcube leads to the expected result: the mail is declined
  • doing the same using mail -s "This is a Subject" -a "From: [email protected]" on Server B using A as Smarthost results in successfully sending the mail

observed differences

The following was observed by increasing the verbosity of postfix' smtpd

  • thunderbird and roundcube login and then directly set the FROM:to an accepted value

  • Server B starts in the same way but somehow manages to change the FROM: header afterwards. This cannot be seen in postfix smtpd logfile but in the mail which is finally sent:

    Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.example.com 
by mail.example.com (Dovecot) with LMTP id UuV2IVaP3lvdKAAAEby5rg
for <[email protected]>; Sun, 04 Nov 2018 07:19:02 +0100
To: [email protected]
Subject: This is a Subject
From: [email protected]
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <[email protected]>
Date: Sun,  4 Nov 2018 07:19:02 +0100 (CET)
Authentication-Results: ORIGINATING;
    auth=pass [email protected] 
[email protected]


body of your email
    • at least it is not (as opposed to valid mails) DKIM signed
    • This is not spam, I just do not want that "everybody" is able to forge sender addresses

questions

  • Why does this happen?
  • More important: What can I do to prevent it happening?
herrhannes
  • 53
  • 4

1 Answers1

5

This is expected behavior, as the SMTP envelope sender and From: header are separate things. The reject_sender_login_mismatch (and the version limited to authenticated users only) prevents using an address in SMTP MAIL FROM command unless it matches an SASL authenticated owner. It doesn't care what's inside the message – that's including its headers. That's how email was designed, and there are also many legitimate reasons for this mismatch.

When using mail -a you modify the headers, alone. It's not changed afterwards, as you suggest. The only reason you can't do this with Thunderbird is that it uses the same address in both envelope and header. It's not limited by your server.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Thunderbird does not *always* use the same address in both envelope and header. Afaik mismatches are always caused by bugs, but since those have not been resolved for years, one should not depend on Thunderbird behaving one way or another. – anx Nov 04 '18 at 09:48
  • Aaah.That explains it a lot. Although it is not what I would have wanted to hear. Thank you very much! I would have thought this was somehow related. – herrhannes Nov 04 '18 at 09:48
  • This is not really a problem as the envelope sender is recorded to `Return-Path` and to the logs. If you suspect someone using this feature illegitimately (e.g. you receive abuse reports), you can always suspend their accounts. – Esa Jokinen Nov 04 '18 at 09:56
  • Yes that is correct. And abuse is really improbable, as it is my private mail server. It's just sort of a cosmetic issue. – herrhannes Nov 04 '18 at 10:44
  • As a footnote: << As of Postfix 2.1, this is an alias for "reject_authenticated_sender_login_mismatch, reject_unauthenticated_sender_login_mismatch". >> So Postfix admins now can handle unauthed users differently. – Philippe Chaintreuil Aug 18 '23 at 10:41