[Rspamd-Users] Fwd: Prevent sender address spoofing envelope/header FROM
G.W. Haywood
rspamd at jubileegroup.co.uk
Fri Feb 9 18:14:55 UTC 2024
Hi there,
On Fri, 9 Feb 2024, Taco de Wolff wrote:
> I see your point in that the contact form is filled out by a customer and
> is thus the appropriate header from address. The envelope from address is
> the mail server, or the noreply at domain.com I created for this, since that
> is where the mail is first sent from (the customer did not send a mail to
> the website I could forward, it fills out a form which creates an email).
Sure, that's what I'd thought you described.
> SPF checks out because the mail server's IP is allowed to send for the
> given envelope from domain.
ACK.
> DKIM checks out since it is signed using the key for the envelope
> from domain and not altered on the way (if all is well).
NAK.
DKIM does not use the envelope from address. It calculates two
hashes, one on selected message headers and the other on the body.
The header fields selected MUST include the 'From' field. Those
hashes are then used to create the signature, which just contains
these hashes and the signing parameters in encrypted form.
https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#Overview
https://datatracker.ietf.org/doc/html/rfc5585#section-4.2
> DMARC will not check out since the header from address does not
> align with neither SPF nor DKIM.
>
> I don't see how I can make DMARC pass other than altering the header from
> address. Does the sender address field help in passing DMARC? What am I
> missing?
No, the 'Sender' field isn't used in alignment tests. And altering
things like the 'From' field is precisely what DKIM intends to detect!
If you control the envelope from, could you not set it to be the same
domain as is in the user's 'From' field? Presumably the SPF records
for those domains already permit your server to send their mail, so
that SPF checks would still pass? If not then you'll need a couple of
hundred new SPF records as well...
Maybe these will help:
https://en.wikipedia.org/wiki/DMARC#Alignment
https://superuser.com/questions/1427382/how-is-connected-envelop-from-and-mail-from-mail-header
--
73,
Ged.
More information about the Users
mailing list