Forged FROM: header despite reject_authenticated_sender_login_mismatch

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












structural description



  • Server A runs postfix and acts as smarthost for server B (also running postfix), reject_authenticated_sender_login_mismatch is set and works (almost) as expected, see below

  • Client C's MUA sends mails via Server A

  • B and C both connect via submission port and authentificate with STARTTLS

what happens when trying to forge sender



  • Setting an arbitrary FROM: header by changing the sender address in thunderbird or adding a new identity in roundcube leads to the expected result: the mail is declined

  • doing the same using mail -s "This is a Subject" -a "From: forged_address@example.net" on Server B using A as Smarthost results in successfully sending the mail

observed differences



The following was observed by increasing the verbosity of postfix' smtpd



  • thunderbird and roundcube login and then directly set the FROM:to an accepted value


  • Server B starts in the same way but somehow manages to change the FROM: header afterwards. This cannot be seen in postfix smtpd logfile but in the mail which is finally sent:



    Return-Path: <valid_address@example.com>
    Delivered-To: herrhannes@example.com
    Received: from mail.example.com 
    by mail.example.com (Dovecot) with LMTP id UuV2IVaP3lvdKAAAEby5rg
    for <herrhannes@example.com>; Sun, 04 Nov 2018 07:19:02 +0100
    To: herrhannes@example.com
    Subject: This is a Subject
    From: forged_address@example.com
    MIME-Version: 1.0
    Content-Type: text/plain; charset="UTF-8"
    Content-Transfer-Encoding: 8bit
    Message-Id: <20181104061902.15A9F4A9@debian.example.com>
    Date: Sun, 4 Nov 2018 07:19:02 +0100 (CET)
    Authentication-Results: ORIGINATING;
     auth=pass smtp.auth=valid_address@example.com 
    smtp.mailfrom=valid_address@example.com


    body of your email


    • at least it is not (as opposed to valid mails) DKIM signed

    • This is not spam, I just do not want that "everybody" is able to forge sender addresses


questions



  • Why does this happen?

  • More important: What can I do to prevent it happening?





postfix smarthost







share|improve this question







New contributor




herrhannes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    2
    down vote

    favorite












    structural description



    • Server A runs postfix and acts as smarthost for server B (also running postfix), reject_authenticated_sender_login_mismatch is set and works (almost) as expected, see below

    • Client C's MUA sends mails via Server A

    • B and C both connect via submission port and authentificate with STARTTLS

    what happens when trying to forge sender



    • Setting an arbitrary FROM: header by changing the sender address in thunderbird or adding a new identity in roundcube leads to the expected result: the mail is declined

    • doing the same using mail -s "This is a Subject" -a "From: forged_address@example.net" on Server B using A as Smarthost results in successfully sending the mail

    observed differences



    The following was observed by increasing the verbosity of postfix' smtpd



    • thunderbird and roundcube login and then directly set the FROM:to an accepted value


    • Server B starts in the same way but somehow manages to change the FROM: header afterwards. This cannot be seen in postfix smtpd logfile but in the mail which is finally sent:



      Return-Path: <valid_address@example.com>
      Delivered-To: herrhannes@example.com
      Received: from mail.example.com 
      by mail.example.com (Dovecot) with LMTP id UuV2IVaP3lvdKAAAEby5rg
      for <herrhannes@example.com>; Sun, 04 Nov 2018 07:19:02 +0100
      To: herrhannes@example.com
      Subject: This is a Subject
      From: forged_address@example.com
      MIME-Version: 1.0
      Content-Type: text/plain; charset="UTF-8"
      Content-Transfer-Encoding: 8bit
      Message-Id: <20181104061902.15A9F4A9@debian.example.com>
      Date: Sun, 4 Nov 2018 07:19:02 +0100 (CET)
      Authentication-Results: ORIGINATING;
       auth=pass smtp.auth=valid_address@example.com 
      smtp.mailfrom=valid_address@example.com


      body of your email


      • at least it is not (as opposed to valid mails) DKIM signed

      • This is not spam, I just do not want that "everybody" is able to forge sender addresses


    questions



    • Why does this happen?

    • More important: What can I do to prevent it happening?





    postfix smarthost







    share|improve this question







    New contributor




    herrhannes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      structural description



      • Server A runs postfix and acts as smarthost for server B (also running postfix), reject_authenticated_sender_login_mismatch is set and works (almost) as expected, see below

      • Client C's MUA sends mails via Server A

      • B and C both connect via submission port and authentificate with STARTTLS

      what happens when trying to forge sender



      • Setting an arbitrary FROM: header by changing the sender address in thunderbird or adding a new identity in roundcube leads to the expected result: the mail is declined

      • doing the same using mail -s "This is a Subject" -a "From: forged_address@example.net" on Server B using A as Smarthost results in successfully sending the mail

      observed differences



      The following was observed by increasing the verbosity of postfix' smtpd



      • thunderbird and roundcube login and then directly set the FROM:to an accepted value


      • Server B starts in the same way but somehow manages to change the FROM: header afterwards. This cannot be seen in postfix smtpd logfile but in the mail which is finally sent:



        Return-Path: <valid_address@example.com>
        Delivered-To: herrhannes@example.com
        Received: from mail.example.com 
        by mail.example.com (Dovecot) with LMTP id UuV2IVaP3lvdKAAAEby5rg
        for <herrhannes@example.com>; Sun, 04 Nov 2018 07:19:02 +0100
        To: herrhannes@example.com
        Subject: This is a Subject
        From: forged_address@example.com
        MIME-Version: 1.0
        Content-Type: text/plain; charset="UTF-8"
        Content-Transfer-Encoding: 8bit
        Message-Id: <20181104061902.15A9F4A9@debian.example.com>
        Date: Sun, 4 Nov 2018 07:19:02 +0100 (CET)
        Authentication-Results: ORIGINATING;
         auth=pass smtp.auth=valid_address@example.com 
        smtp.mailfrom=valid_address@example.com


        body of your email


        • at least it is not (as opposed to valid mails) DKIM signed

        • This is not spam, I just do not want that "everybody" is able to forge sender addresses


      questions



      • Why does this happen?

      • More important: What can I do to prevent it happening?





      postfix smarthost







      share|improve this question







      New contributor




      herrhannes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      structural description



      • Server A runs postfix and acts as smarthost for server B (also running postfix), reject_authenticated_sender_login_mismatch is set and works (almost) as expected, see below

      • Client C's MUA sends mails via Server A

      • B and C both connect via submission port and authentificate with STARTTLS

      what happens when trying to forge sender



      • Setting an arbitrary FROM: header by changing the sender address in thunderbird or adding a new identity in roundcube leads to the expected result: the mail is declined

      • doing the same using mail -s "This is a Subject" -a "From: forged_address@example.net" on Server B using A as Smarthost results in successfully sending the mail

      observed differences



      The following was observed by increasing the verbosity of postfix' smtpd



      • thunderbird and roundcube login and then directly set the FROM:to an accepted value


      • Server B starts in the same way but somehow manages to change the FROM: header afterwards. This cannot be seen in postfix smtpd logfile but in the mail which is finally sent:



        Return-Path: <valid_address@example.com>
        Delivered-To: herrhannes@example.com
        Received: from mail.example.com 
        by mail.example.com (Dovecot) with LMTP id UuV2IVaP3lvdKAAAEby5rg
        for <herrhannes@example.com>; Sun, 04 Nov 2018 07:19:02 +0100
        To: herrhannes@example.com
        Subject: This is a Subject
        From: forged_address@example.com
        MIME-Version: 1.0
        Content-Type: text/plain; charset="UTF-8"
        Content-Transfer-Encoding: 8bit
        Message-Id: <20181104061902.15A9F4A9@debian.example.com>
        Date: Sun, 4 Nov 2018 07:19:02 +0100 (CET)
        Authentication-Results: ORIGINATING;
         auth=pass smtp.auth=valid_address@example.com 
        smtp.mailfrom=valid_address@example.com


        body of your email


        • at least it is not (as opposed to valid mails) DKIM signed

        • This is not spam, I just do not want that "everybody" is able to forge sender addresses


      questions



      • Why does this happen?

      • More important: What can I do to prevent it happening?





      postfix smarthost




      postfix smarthost






      share|improve this question







      New contributor




      herrhannes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      herrhannes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      herrhannes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 5 hours ago









      herrhannes

      132




      132




      New contributor




      herrhannes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      herrhannes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      herrhannes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          This is expected behavior, as the SMTP envelope sender and From: header are separate things. The reject_sender_login_mismatch (and the version limited to authenticated users only) prevents using an address in SMTP MAIL FROM command unless it matches an SASL authenticated owner. It doesn't care what's inside the message – that's including its headers. That's how email was designed, and there are also many legitimate reasons for this mismatch.



          When using mail -a you modify the headers, alone. It's not changed afterwards, as you suggest. The only reason you can't do this with Thunderbird is that it uses the same address in both envelope and header. It's not limited by your server.






          share|improve this answer




















          • Thunderbird does not always use the same address in both envelope and header. Afaik mismatches are always caused by bugs, but since those have not been resolved for years, one should not depend on Thunderbird behaving one way or another.
            – anx
            3 hours ago










          • Aaah.That explains it a lot. Although it is not what I would have wanted to hear. Thank you very much! I would have thought this was somehow related.
            – herrhannes
            3 hours ago











          • This is not really a problem as the envelope sender is recorded to Return-Path and to the logs. If you suspect someone using this feature illegitimately (e.g. you receive abuse reports), you can always suspend their accounts.
            – Esa Jokinen
            3 hours ago










          • Yes that is correct. And abuse is really improbable, as it is my private mail server. It's just sort of a cosmetic issue.
            – herrhannes
            2 hours ago










          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );






          herrhannes is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f938548%2fforged-from-header-despite-reject-authenticated-sender-login-mismatch%23new-answer', 'question_page');

          );

          Post as a guest

















          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote



          accepted










          This is expected behavior, as the SMTP envelope sender and From: header are separate things. The reject_sender_login_mismatch (and the version limited to authenticated users only) prevents using an address in SMTP MAIL FROM command unless it matches an SASL authenticated owner. It doesn't care what's inside the message – that's including its headers. That's how email was designed, and there are also many legitimate reasons for this mismatch.



          When using mail -a you modify the headers, alone. It's not changed afterwards, as you suggest. The only reason you can't do this with Thunderbird is that it uses the same address in both envelope and header. It's not limited by your server.






          share|improve this answer




















          • Thunderbird does not always use the same address in both envelope and header. Afaik mismatches are always caused by bugs, but since those have not been resolved for years, one should not depend on Thunderbird behaving one way or another.
            – anx
            3 hours ago










          • Aaah.That explains it a lot. Although it is not what I would have wanted to hear. Thank you very much! I would have thought this was somehow related.
            – herrhannes
            3 hours ago











          • This is not really a problem as the envelope sender is recorded to Return-Path and to the logs. If you suspect someone using this feature illegitimately (e.g. you receive abuse reports), you can always suspend their accounts.
            – Esa Jokinen
            3 hours ago










          • Yes that is correct. And abuse is really improbable, as it is my private mail server. It's just sort of a cosmetic issue.
            – herrhannes
            2 hours ago














          up vote
          2
          down vote



          accepted










          This is expected behavior, as the SMTP envelope sender and From: header are separate things. The reject_sender_login_mismatch (and the version limited to authenticated users only) prevents using an address in SMTP MAIL FROM command unless it matches an SASL authenticated owner. It doesn't care what's inside the message – that's including its headers. That's how email was designed, and there are also many legitimate reasons for this mismatch.



          When using mail -a you modify the headers, alone. It's not changed afterwards, as you suggest. The only reason you can't do this with Thunderbird is that it uses the same address in both envelope and header. It's not limited by your server.






          share|improve this answer




















          • Thunderbird does not always use the same address in both envelope and header. Afaik mismatches are always caused by bugs, but since those have not been resolved for years, one should not depend on Thunderbird behaving one way or another.
            – anx
            3 hours ago










          • Aaah.That explains it a lot. Although it is not what I would have wanted to hear. Thank you very much! I would have thought this was somehow related.
            – herrhannes
            3 hours ago











          • This is not really a problem as the envelope sender is recorded to Return-Path and to the logs. If you suspect someone using this feature illegitimately (e.g. you receive abuse reports), you can always suspend their accounts.
            – Esa Jokinen
            3 hours ago










          • Yes that is correct. And abuse is really improbable, as it is my private mail server. It's just sort of a cosmetic issue.
            – herrhannes
            2 hours ago












          up vote
          2
          down vote



          accepted







          up vote
          2
          down vote



          accepted






          This is expected behavior, as the SMTP envelope sender and From: header are separate things. The reject_sender_login_mismatch (and the version limited to authenticated users only) prevents using an address in SMTP MAIL FROM command unless it matches an SASL authenticated owner. It doesn't care what's inside the message – that's including its headers. That's how email was designed, and there are also many legitimate reasons for this mismatch.



          When using mail -a you modify the headers, alone. It's not changed afterwards, as you suggest. The only reason you can't do this with Thunderbird is that it uses the same address in both envelope and header. It's not limited by your server.






          share|improve this answer












          This is expected behavior, as the SMTP envelope sender and From: header are separate things. The reject_sender_login_mismatch (and the version limited to authenticated users only) prevents using an address in SMTP MAIL FROM command unless it matches an SASL authenticated owner. It doesn't care what's inside the message – that's including its headers. That's how email was designed, and there are also many legitimate reasons for this mismatch.



          When using mail -a you modify the headers, alone. It's not changed afterwards, as you suggest. The only reason you can't do this with Thunderbird is that it uses the same address in both envelope and header. It's not limited by your server.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 3 hours ago









          Esa Jokinen

          21.6k23157




          21.6k23157











          • Thunderbird does not always use the same address in both envelope and header. Afaik mismatches are always caused by bugs, but since those have not been resolved for years, one should not depend on Thunderbird behaving one way or another.
            – anx
            3 hours ago










          • Aaah.That explains it a lot. Although it is not what I would have wanted to hear. Thank you very much! I would have thought this was somehow related.
            – herrhannes
            3 hours ago











          • This is not really a problem as the envelope sender is recorded to Return-Path and to the logs. If you suspect someone using this feature illegitimately (e.g. you receive abuse reports), you can always suspend their accounts.
            – Esa Jokinen
            3 hours ago










          • Yes that is correct. And abuse is really improbable, as it is my private mail server. It's just sort of a cosmetic issue.
            – herrhannes
            2 hours ago
















          • Thunderbird does not always use the same address in both envelope and header. Afaik mismatches are always caused by bugs, but since those have not been resolved for years, one should not depend on Thunderbird behaving one way or another.
            – anx
            3 hours ago










          • Aaah.That explains it a lot. Although it is not what I would have wanted to hear. Thank you very much! I would have thought this was somehow related.
            – herrhannes
            3 hours ago











          • This is not really a problem as the envelope sender is recorded to Return-Path and to the logs. If you suspect someone using this feature illegitimately (e.g. you receive abuse reports), you can always suspend their accounts.
            – Esa Jokinen
            3 hours ago










          • Yes that is correct. And abuse is really improbable, as it is my private mail server. It's just sort of a cosmetic issue.
            – herrhannes
            2 hours ago















          Thunderbird does not always use the same address in both envelope and header. Afaik mismatches are always caused by bugs, but since those have not been resolved for years, one should not depend on Thunderbird behaving one way or another.
          – anx
          3 hours ago




          Thunderbird does not always use the same address in both envelope and header. Afaik mismatches are always caused by bugs, but since those have not been resolved for years, one should not depend on Thunderbird behaving one way or another.
          – anx
          3 hours ago












          Aaah.That explains it a lot. Although it is not what I would have wanted to hear. Thank you very much! I would have thought this was somehow related.
          – herrhannes
          3 hours ago





          Aaah.That explains it a lot. Although it is not what I would have wanted to hear. Thank you very much! I would have thought this was somehow related.
          – herrhannes
          3 hours ago













          This is not really a problem as the envelope sender is recorded to Return-Path and to the logs. If you suspect someone using this feature illegitimately (e.g. you receive abuse reports), you can always suspend their accounts.
          – Esa Jokinen
          3 hours ago




          This is not really a problem as the envelope sender is recorded to Return-Path and to the logs. If you suspect someone using this feature illegitimately (e.g. you receive abuse reports), you can always suspend their accounts.
          – Esa Jokinen
          3 hours ago












          Yes that is correct. And abuse is really improbable, as it is my private mail server. It's just sort of a cosmetic issue.
          – herrhannes
          2 hours ago




          Yes that is correct. And abuse is really improbable, as it is my private mail server. It's just sort of a cosmetic issue.
          – herrhannes
          2 hours ago










          herrhannes is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          herrhannes is a new contributor. Be nice, and check out our Code of Conduct.












          herrhannes is a new contributor. Be nice, and check out our Code of Conduct.











          herrhannes is a new contributor. Be nice, and check out our Code of Conduct.













           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f938548%2fforged-from-header-despite-reject-authenticated-sender-login-mismatch%23new-answer', 'question_page');

          );

          Post as a guest
































































          Comments

          Post a Comment

          Popular posts from this blog

          What does second last employer means? [closed]

          Image
          Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote -3 down vote favorite Say, for example I have worked in the following companies, Company A => 2010 - 2011 Company B => 2011 - 2012 Company C => 2012 - Till Date Company D => Have offer Now assume Company D is asking to submit documents from my second last employer. So from the list of companies given, which company would be qualified as second last employer? software-industry employer share | improve this question asked Aug 10 '14 at 5:16 Rajaprabhu Aravindasamy 559 1 6 13 closed as off-topic by Jim G., jmort253 ♦ Aug 11 '14 at 1:58 This question appears to be off-topic. The users who voted to close gave this specific reason: "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address...
          Read more

          List of Gilmore Girls characters

          Image
          The season three cast—(Back row): Lane, Michel, Paris, Emily, Richard, Sookie, Miss Patty, Kirk; Front row: Jess, Luke, Lorelai, Rory, Dean This is a list of characters for the comedy-drama television series Gilmore Girls . Contents 1 Main characters 1.1 Lorelai Gilmore 1.2 Rory Gilmore 1.3 Sookie St. James 1.4 Lane Kim 1.5 Michel Gerard 1.6 Luke Danes 1.7 Emily Gilmore 1.8 Richard Gilmore 1.9 Paris Geller 1.10 Dean Forester 1.11 Jess Mariano 1.12 Kirk Gleason 1.13 Jason Stiles 1.14 Logan Huntzberger 2 Major recurring characters 2.1 Christopher Hayden 2.2 Jackson Belleville 2.3 Mrs. Kim 2.4 Tristin DuGray 2.5 Max Medina 2.6 Taylor Doose 2.7 Dave Rygalski 2.8 Marty 3 Recurring characters 3.1 Stars Hollow 3.2 Chilton 3.3 Yale 3.4 Other 4 Notable guest stars 5 Unseen characters 6 Notes 7 References Main characters Actor Character Appearances Season 1 Season 2 Season 3 Season 4 Season 5 Season 6 Season 7 A Year in the Life Lauren Graham Lorelai Gilmore...
          Read more

          Confectionery

          Image
          Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of ...
          Read more