search

mail-in-a-box / mailinabox

Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box.
https://mailinabox.email/
Creative Commons Zero v1.0 Universal
13.82k stars 1.42k forks source link

Reject incoming mail that does not pass SPF #698

Open Firenzzz opened 8 years ago

Firenzzz commented 8 years ago

In the beginning I want to say that I've sanitized logs and raw where applicable so empty 'receiver' i dmarc lines and other anomalies are my... interference, also want to point out that I've been looking through issues both open and closed to see if I'm not replicating something already reported, but I didn't find anything so I'm sorry if there really is one. Accidentally I found out that miab doesn't check SPFs, found out by checking my friend's work mail which providers will accept a mail from a spoofer and which won't aaand my box did, he has a softfail but I didn't see any warning or any flag regarding this softfail in logs or raw message (postfix/spamassassin/dmarc, nothing) so I pursued the issue and found out that I sent a mail from a mailer to me as me and it landed directly in my inbox despite having a hardfail set on dns. 

Return-Path: <test@mydomain.me>
Delivered-To: <test@mydomain.me>
Received: from mail.mydomain.me ([127.0.0.1])
    by mailinabox (Dovecot) with LMTP id IjdhDmpeslZfHAAAN/P6gQ
    for <test@mydomain.me>; Wed, 03 Feb 2016 21:09:14 +0100
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mailinabox
X-Spam-Level:
X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_HELO_PASS
autolearn=ham
    autolearn_force=no version=3.4.0
X-Greylist: delayed 384 seconds by postgrey-1.35 at mailinabox; Wed, 
03 Feb 2016 21:09:13 CET
Authentication-Results: mailinabox; dmarc=fail header.from=mydomain.me

It's worth noting that lack of postfix's spf checker renders spamassassin's flagging impaired because without it spamassassin in my case is only adding helo_pass and that's all regarding spfs. I've followed https://help.ubuntu.com/community/Postfix/SPF and after some tests and looking through logs I have some legitimate grounds to say it saves the galaxy. I picked python btw. As an example - mails from github are now in logs mentioned by postfix's spf Feb 4 02:20:50 mailinabox policyd-spf[1798]: Pass; identity=mailfrom; client-ip=192.30.252.194; helo=github-smtp2b-ext-cp1-prd.iad.github.net; envelope-from=noreply@github.com; receiver=

and in raw message

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mailinabox
X-Spam-Level: 
X-Spam-Status: No, score=-5.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
    DKIM_VALID_AU,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_PASS
    autolearn=ham autolearn_force=no version=3.4.0
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.30.252.194; helo=github-smtp2b-ext-cp1-prd.iad.github.net; envelope-from=noreply@github.com; receiver= 
Authentication-Results: mailinabox; dmarc=none header.from=github.com

where messages with softfail are appropriately marked in logs

Feb  3 21:20:29 mailinabox policyd-spf[9091]: Softfail; identity=mailfrom; client-ip=46.***.**.72; helo=mail.spoofer; envelope-from=test@domainiwastestingintheverybeginning.kp; receiver=

X-Spam-Status: No, score=1.0 required=5.0 tests=BODY_SINGLE_WORD,SPF_HELO_PASS,
    SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.0
Received-SPF: Softfail (domain owner discourages use of this host) identity=mailfrom; client-ip=46.***.**.72; helo=mail.spoofer; envelope-from=test@domainiwastestingintheverybeginning.kp; receiver= 
Authentication-Results: mailinabox; dmarc=none header.from=domainiwastestingintheverybeginning.kp

and mails which failed hard

Feb 3 21:15:49 mailinabox postfix/smtpd[8646]: NOQUEUE: reject: RCPT from mail.spoofer[46.***.**.72]: 550 5.7.1 <me@mydomain.me>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=test@mydomain.me;ip=46.***.**.72;r=me@mydomain.me; from=<test@mydomain.me> to=<me@mydomain.me> proto=ESMTP helo=<mail.spoofer>

and no mails in inbox because as the log says they're dismissed upon arrival.

Steps to reproduce: just find a mail spoofer, like one on https://emkei.cz/ and send a mail hosted w/ miab to yourself having a hardfail on your spf records or a domain with similar settings and optionally wait for postgrey.

Steps to fix: as described in mentioned link to ubuntu help assuming miab is supposed to use postfix for that - https://help.ubuntu.com/community/Postfix/SPF assuming a python way: apt-get install postfix-policyd-spf-python edit /etc/postfix/main.cf so it contains a line with policy-spf_time_limit = 3600s add a section to /etc/postfix/master.cf

policy-spf  unix  -       n       n       -       -       spawn
user=nobody argv=/usr/bin/policyd-spf

edit smtpd_recipient_restrictions in main.cf (again) so it contains check_policy_service unix:private/policy-spf as a root or sudo'ed reload postfix service postfix reload then look at spoofed and legit raw mails and tail your logs.

yodax commented 8 years ago

Thanks @Firenzzz I have converted this into a PR: https://github.com/mail-in-a-box/mailinabox/pull/760