[opendmarc-users] Fake mail (internal From: ourdomain) passed by opendmarc
Dominic Raferd
dominic at timedicer.co.uk
Wed Mar 15 06:40:09 PDT 2017
On 15 March 2017 at 12:19, Juri Haberland <juri at sapienti-sat.org> wrote:
> On 2017-03-15 11:55, Dominic Raferd wrote:
>
> The real question is, why was the From: domain 'localhost'?
>
>> Authentication-Results: ourdomain1.co.uk/E988D3E911; dmarc=none (p=none
>> dis=none) header.from=localhost
>
>
>> 2017-03-14 22:55:05 vps1234567 opendmarc[23616]: E988D3E911: localhost
>> none
>
>
> even though:
>
>> From: =?utf-8?Q?AppleID?= <root at ourdomain1.co.uk>
>
>
> Did some software (spam filter, some other milter, the MUA) change the From:
> field? Maybe because it was originally something like "From: AppleID <root>"
> or "From: AppleID <root at localhost>"?
>
Thanks Juri. I suspect that you are right and that the original mail
had 'From: AppleID <root at localhost>'.
My postfix settings are 'append_at_myorigin = yes', canonical_maps
'root at localhost root', 'local_header_rewrite_clients = [default]' and
I use amavis re-injection. What I think has been happening is that
*after* opendmarc processes the mail (looking at the 'localhost'
domain), the mail passes through amavis and upon reinjection into
postfix it was being interpreted as a local mail and so the source
mail address was being rewritten: root at localhost -> root ->
root at ourdomain1.co.uk (because of canonical_maps and then because of
append_at_myorigin=yes). If so, this should now be stopped because I
have added the parameter '-o local_header_rewrite_clients= [blank]' to
the master.cf entry for the re-injected amavis emails.
Can someone suggest a way (using postfix as MTA) to block incoming
external emails that purport to be from localhost domain i.e. have
internal header 'From: *@localhost'? (Sorry I realise this is not
really an opendmarc question)
More information about the opendmarc-users
mailing list