ispCP - Board - Support
Forward = Spoofing? - Printable Version

+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Support Area (/forum-30.html)
+--- Forum: Usage (/forum-34.html)
+--- Thread: Forward = Spoofing? (/thread-4334.html)

Pages: 1 2

Forward = Spoofing? - HSorgYves - 09-23-2008 08:15 PM

When I receive a mail from abc@pt.lu for test@mydomain.com which forwards it to xyz@pt.lu; they reject it as spoofing!

Any idea how to bypass their protection?

Best Regards,
Yves

RE: Forward = Spoofing? - aseques - 09-23-2008 08:40 PM

They are using SPF with their domains, so they don't expect to receive mail for pt.lu from outside of their networks.
v=spf1 +ip4:194.154.192.0/25 ~all

Your mail probably gets lost cause it's send outside of their networks (specially if it's sent from a home DSL), also some spam points could be added for the route of the mail.

If it's blocked due to your IP+SPF the only solution you'd have would be to enable SRS, wich is difficult in postfix.

RE: Forward = Spoofing? - HSorgYves - 09-24-2008 04:28 PM

No, the error does not seem to come due to IP+SPF, but because they reject mail from: *@pt.lu which is not delivered through their mailserver.

BTW for mailinglists it is working fine. Maybe I could just add some header (which one?) to get it working!

Thanks for your help.
Yves

RE: Forward = Spoofing? - aseques - 09-24-2008 06:40 PM

HSorgYves Wrote:No, the error does not seem to come due to IP+SPF, but because they reject mail from: *@pt.lu which is not delivered through their mailserver.
Oh, I saw it now, "500 5.1.7 Spoofing denied", the server is not allowing mail from their domain originated externally, they are breaking forwarding functionallity.
One solution as I commented would be to use SRS (Sender Rewriting Schema), but altough it's almost the only solution, it doesn't have the approval of Wietse Venema from postfix.

HSorgYves Wrote:BTW for mailinglists it is working fine. Maybe I could just add some header (which one?) to get it working!
Could you post some extract of the headers of one of this mails? If the mailing list admin is sending it something like users@example.com there's no reason the sender should be blocked.

Cheers

RE: Forward = Spoofing? - HSorgYves - 09-24-2008 07:54 PM

Here is the RAW mail when sent through a mailinglist:
Code:
Return-Path: <mailing-bounces@glcr.lu>
Received: from mail.hosting-skills.org (castor.hosting-skills.org [195.24.76.190])
    by inmx1.pt.lu  with ESMTP id m8NANQDR010302;
    Tue, 23 Sep 2008 12:23:26 +0200
Received: from main.hosting-skills.org (localhost [127.0.0.1])
    by mail.hosting-skills.org (Postfix) with ESMTP id 31CAB2912C;
    Tue, 23 Sep 2008 12:23:26 +0200 (CEST)
X-Original-To: mailing@glcr.lu
Delivered-To: glcr.lu=mailing@localhost
X-policyd-weight: using cached result; rate: -1.5
Received: from smtpout1.pt.lu (mailsvr.pt.lu [194.154.192.108])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mail.hosting-skills.org (Postfix) with ESMTP id F2CD76A027
    for <mailing@glcr.lu>; Tue, 23 Sep 2008 12:23:17 +0200 (CEST)
Received: from EMACS-Kreis.lan (ip-83-99-43-189.dyn.luxdsl.pt.lu
    [83.99.43.189]) by smtpout1.pt.lu  with ESMTP id m8NAMTQa009788
    for <mailing@glcr.lu>; Tue, 23 Sep 2008 12:23:16 +0200
Message-Id: <7061C94A-0314-4746-B8BB-595B359E5158@pt.lu>
From: Georges Kreis <georges.kreis@pt.lu>
To: mailing@glcr.lu
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Tue, 23 Sep 2008 12:23:17 +0200
X-Mailer: Apple Mail (2.929.2)
Subject: [GLCR] Test
X-BeenThere: mailing@glcr.lu
X-Mailman-Version: 2.1.10
Precedence: list
List-Id: GLCR Announce List <mailing.glcr.lu>
List-Unsubscribe: <http://lists.hosting-skills.org/options/mailing@glcr.lu>,
    <mailto:mailing-request@glcr.lu?subject=unsubscribe>
List-Archive: <http://lists.hosting-skills.org/pipermail/mailing@glcr.lu>
List-Post: <mailto:mailing@glcr.lu>
List-Help: <mailto:mailing-request@glcr.lu?subject=help>
List-Subscribe: <http://lists.hosting-skills.org/listinfo/mailing@glcr.lu>,
    <mailto:mailing-request@glcr.lu?subject=subscribe>
Sender: mailing-bounces@glcr.lu
Errors-To: mailing-bounces@glcr.lu

Test

Why does this mail get accepted while the forward one does not?

RE: Forward = Spoofing? - aseques - 09-24-2008 08:31 PM

HSorgYves Wrote:Here is the RAW mail when sent through a mailinglist:
Code:
Return-Path: <mailing-bounces@glcr.lu>

Why does this mail get accepted while the forward one does not?

Usually the mailing list server sends the "mail from" command with it's own address "mailing-bounces@glcr.lu", or a something like "bugtraq-return-identifier@bugtrack.com"
In any case the mail comes from another domain (glcr.lu in this case), and it's send to the destinations within pt.lu, with just the headers that state the original sender of the mail, so you can see it fine from your mail reader, and receive, since the mail from states that is being sent from another domain.

Unless you create a new mail originating from you with an temporary address from your domain (that's what SRS is about) to keep track of that mail in case you receive a bounce, you won't be able to forward to pt.lu

Hope it helps

RE: Forward = Spoofing? - HSorgYves - 09-24-2008 09:25 PM

Both domains are on the same server and configured the same way. That is certainly not the difference!

So you think it comes from the fact that the list server sends another "mail from"? How can it afterwards set the "mail from" to the original one then?

Best Regards,
Yves

RE: Forward = Spoofing? - aseques - 09-25-2008 06:49 PM

HSorgYves Wrote:Both domains are on the same server and configured the same way. That is certainly not the difference!
Yup, no problem there

HSorgYves Wrote:So you think it comes from the fact that the list server sends another "mail from"? How can it afterwards set the "mail from" to the original one then?
If you receive a mail in your server from that mailing lis, and you look in the logs, you'll see the sender of the message that is using the mailing list server (basically search for the ESMTP id)

If you want to change that, it means that you have to rewrite the message headers as if the mail was generated from your domain, giving a real return path (in case the destination server needs to verify anything or giving a bounce), that's what the mailing lists are doing.

RE: Forward = Spoofing? - HSorgYves - 09-25-2008 08:09 PM

The log you are refering to should be:
Code:
Sep 23 12:23:26 castor postfix/smtpd[2188]: 31CAB2912C: client=localhost[127.0.0.1]
Sep 23 12:23:26 castor postfix/cleanup[2272]: 31CAB2912C: message-id=<7061C94A-0314-4746-B8BB-595B359E5158@pt.lu>
Sep 23 12:23:26 castor postfix/qmgr[18852]: 31CAB2912C: from=<mailing-bounces@glcr.lu>, size=1765, nrcpt=3 (queue active)
Sep 23 12:23:26 castor postfix/smtp[2306]: 31CAB2912C: to=<georges.kreis@pt.lu>, relay=inmx1.pt.lu[194.154.192.93]:25, delay=0.37, delays=0.11/0.18/0.02/0.06, dsn=2.0.0, status=sent (250 2.0.0 m8NANQDR010302 Message accepted for delivery)
Sep 23 12:23:31 castor postfix/qmgr[18852]: 31CAB2912C: removed
while the non working one is:
Code:
Sep 25 12:03:08 castor postfix/smtpd[13602]: 4D66668061: client=smtpout2.pt.lu[194.154.192.94]
Sep 25 12:03:08 castor postfix/cleanup[13613]: 4D66668061: message-id=<8B9B7F5C-4241-497F-AADB-DC26C2423327@pt.lu>
Sep 25 12:03:08 castor postfix/qmgr[24964]: 4D66668061: from=<georges.kreis@pt.lu>, size=915, nrcpt=1 (queue active)
Sep 25 12:03:08 castor postfix/smtp[13614]: 4D66668061: to=<geokreis@pt.lu>, orig_to=<test@hosting-skills.org>, relay=inmx1.pt.lu[194.154.192.93]:25, delay=8.7, delays=8.5/0.02/0.13/0.01, dsn=5.1.7, status=bounced (host inmx1.pt.lu[194.154.192.93] said: 500 5.1.7 Spoofing denied (in reply to MAIL FROM command))
Sep 25 12:03:08 castor postfix/bounce[13615]: 4D66668061: sender non-delivery notification: 85BBA68065
Sep 25 12:03:08 castor postfix/qmgr[24964]: 4D66668061: removed
The difference seems to be that the listserver sents the mail using from=<mailing-bounces@glcr.lu> while a forward will use the original from=<georges.kreis@pt.lu>.

Can I rewrite these headers on my side for forwards?

Best Regards,
Yves

RE: Forward = Spoofing? - aseques - 09-25-2008 08:22 PM

HSorgYves Wrote:Can I rewrite these headers on my side for forwards?
Unless you can apply SRS, or some other feature of postfix to rewrite headers, I don't think so.
You could go for exim, or silently discart all the mail you are forwarding to pt.lu (their policy is not to accept forwards, so shouldn't be your problem)