0

I have a mail server, postfix for SMTP and Dovecot for IMAP, both require authentication. I just received an email from MY address, but coming from an other SMTP server. And of course, in message source, I can see this server from which it was sent, but not the user who did that, only its machine name "debian.world".

How can I protect myself against this ? Because it basically means that the guy can send emails to anyone using my address, and I don't think random people will check message source to check from which SMTP it comes from. Can i configure something on my server which will check authencicity of a sender ? Or should I write a whole script on my own ?

One more question : how am i supposed to read this :

Return-Path: <myaddress@myserver.com>
Delivered-To: <myOTHERaddress@server.com>
Received: from my.imap.myserver.com
    by my.imap.myserver.com (Dovecot) with LMTP id aEG5JBhePlnSDgAAz5VDmw
    for <myOTHERaddress@server.com>; Mon, 12 Jun 2017 11:25:44 +0200
Received: from smtp25.services.sfr.fr (smtp25.services.sfr.fr [93.17.128.25])
    by my.smtp.myserver.com (Postfix) with ESMTPS id C693C3F0FE
    for <myOTHERaddress@server.com>; Mon, 12 Jun 2017 11:25:43 +0200 (CEST)
Received: from debian.world (45.159.2.109.rev.sfr.net [109.2.159.45])
    by msfrf2635.sfr.fr (SMTP Server) with ESMTP id 055631C00081D
    for <myOTHERaddress@server.com>; Mon, 12 Jun 2017 11:25:28 +0200 (CEST)
Received: from debian.world (45.159.2.109.rev.sfr.net [109.2.159.45])   (using TLSv1.2
    with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested)
    by msfrf2635.sfr.fr (SMTP Server) with ESMTPS   for <myOTHERaddress@server.com>;
    Mon, 12 Jun 2017 11:25:22 +0200 (CEST)
Message-ID: <953862.473459111-sendEmail@debian>
From: ME <myaddress@myserver.com>
To: "myOTHERaddress@server.com" <myOTHERaddress@server.com>
Subject: etc...

(I've received a mail from myaddress@server.com on my address myOTHERaddress@server.com, but he also sent me a mail from python@contact.fr for example)

What does that mean ? The email comes from smtp25.services.sfr.fr, but what is msfrf2635.sfr.fr ? Why is there 3 involved SMTP ? I'd like to understand this please...

Thank you fellows.

PS: I changed some crucial informations because I know the guy who did that, and I don't want him to have troubles with his servers. The msfrf2635.sfr.fr is unchanged though.

NdFeB
  • 25
  • 10
  • SPF, DKIM, DMARC. – Awn Jun 12 '17 at 13:43
  • Possible duplicate of [Somebody is spoofing my email to send spam messages, and I have no idea how to block](https://security.stackexchange.com/questions/112824/somebody-is-spoofing-my-email-to-send-spam-messages-and-i-have-no-idea-how-to-b), [How to Stop Email Spoofing](https://security.stackexchange.com/questions/73402/how-to-stop-email-spoofing), [How can I prevent email spoofing from my domain?](https://security.stackexchange.com/questions/154547/how-can-i-prevent-email-spoofing-from-my-domain) ... – Steffen Ullrich Jun 12 '17 at 13:49

2 Answers2

1

To stop others from sending emails in your name you can use SPF. This is a DNS-record that publishes all IP-adresses that are allowed to send mail from that domain.

You can also use DKIM to sign a message with a private key, the public key is published in a DNS-record and the receiving server can verify with that key if it was really you who send it.

By implementing both SPF and DKIM you should be able to stop other people impersonating your email-address.

To keep track of when mail delivery fails you can use DMARC. This can be configured as to what a mail-server should do when the SPF or DKIM verification fails and also what email-address to send a report to.

Eelke
  • 506
  • 1
  • 5
  • 18
1

That's the way SMTP goes...

Presumably, msfrf2635.sfr.fr is a legitimate SMTP server from the French ISP provider SFR. And the owner of debian.world probably has a valid account at SFR. So IMHO here is what has happened here:

  • the other guy prepared a forged message containing fake headers (notably From, maybe others)
  • he connected to his ISP SMTP server with his own account, and submitted the forged message. The server only controls that the from envelop address (SMTP MAIL FROM: fiels) is valid and coherent with the used account, and that the to envelop addresses (SMTP RCPT TO: fields) are reachable. It then logs that and forwards the content of the message (including existing headers) only adding its own Received header, and optionally missing required headers like Date.
  • your own server receives a message from a well known SMTP server and accepts it

Any header in a SMTP message can be forged (even if it it not possible to forge them all at the same time). If you need to be able to have a secure authentication of the sender, you must use an encapsulation like S/MIME or PGP that are able to securely sign and/or encrypt a message.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • Well, when he puts "python@contact.fr" as SMTP from field, it is not coherent with his user name (which I know and which is totally different, even the domain name does not match). How an ISP server let such a spoofed mail pass through it ? – NdFeB Jun 12 '17 at 13:48
  • @NdFeB: I'll give a try and improve this answer tomorrow (can't test now...) – Serge Ballesta Jun 12 '17 at 14:17
  • @Serger Ballesta: I tested it. I spoofed an address from a private domain (one from my company, nothing illegal, i can do that) through my personnal ISP SMTP server. It worked. Wtf, how is it so easy to spoof identites ??? I could have say to my colleague he was fired in the name of our boss, it would appear to be real (well not for long for sure). I don't get it. – NdFeB Jun 12 '17 at 15:01