We have the following in postfix's main.cf:
smtpd_recipient_restrictions= permit_sasl_authenticated, permit_mynetworks ...
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch ...
yet we just received the following spam:
To: support@mydomain.com
From: <support@mydomain.com>
Return-Path: <evil@spammers.ru>
and that eveil Return-Path address does NOT display in email clients, at least NOT in thunderbird.
After much checking around, I can replicate the SMTP conversation as the following:
telnet mydomain.com 25
...
Escape character is '^]'.
220 mydomain.com ESMTP Postfix
EHLO spammers.ru
...
MAIL FROM:<evil@spammers.ru>
250 2.1.0 Ok
RCPT TO:<support@mydomain.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
To: support@mydomain.com
From: <support@mydomain.com>
That is, even though we demand all email sent From our domain has to login as that account or from trusted network, that restriction only applies to the envelope MAIL FROM command. The spammer can just send from any outside domain, then still forge From address as from our domain in the email itself. And unfortunately email clients will display such email as From our trusted accounts.
How to deal with this?
There appears to be some similar questions, such as this and this but none of them provided an actual solution.
Also this page explained that, the MAIL FROM address, evil@spammers.ru, is discarded and displayed as Return-Path: in the email header. So at least one can demand the From: address has to match Return-Path: in the email header, but looks like people discourage this? And is this possible to do in postfix conf at all or has to do in procmail etc?
