Dovecot Sieve allows spoofing through LMTP

Question

I have set up Postfix to block spoofing your email (you can only send emails as yourself):

smtpd_sender_restrictions =
        reject_authenticated_sender_login_mismatch

I have set up Sieve and ManageSieve on the server. My users can now configure their own Sieve scripts to redirect incoming e-mails to other external mail accounts. This has an unwanted side effect:

My users can now set up a redirect of all the mail to spam@victim.tld. To send spam mail from my server, they can set up their own mailserver. From their mailserver they can send spam mails to their account on my server. This mail is then redirected by Sieve with the FROM-address specified by their own spoof mailserver.

This means that my users can send mails from my server pretending to be anyone. This is why I want to make Sieve change the FROM address to the user's email, and put the original address in parentheses. Is this possible?

For now I have disabled the `copy` extension. – Friend of Kim Dec 25 '14 at 19:35 — Friend of Kim, Dec 25 '14 at 19:35

score 1 · Accepted Answer · edited Jun 11 '20 at 10:02

Actually, this sieve capabilities is similar function with email forwarding in MTA level. One exception is the copy parameter in sieve can keep email in user inbox while at the same time forward it to another email.

The forwarding email won't modify sender where the emails come from, it just modify the recipient envelope address. Usually the forwarding mechanism clashes with anti-spoofing mechanism like SPF. So, the redirect and copy method in sieve inherited same problem with forwarding.SPF documentation proposed the SRS for tackle this problem.

SRS or Sender Rewriting Scheme will rewrite sender address to your domain. Usually SRS was done in MTA level when delivering process. There is a thread in SF about implementing SRS in postfix.

How Big Providers handle email forwarding regarding this spoofing issue?

As security measure, if you setup forwarding address GMAIL will send email to verify the existence and prove that you are the owner of forwarding email address. Now, suppose that you have verified external@example.com as forwarding address of myuser@gmail.com. After verification success, GMAIL will forward email and alter the sender so it become something like myuser+caf_=external=example.com@gmail.com.

In Yahoo setup, you have to confirm forwarding address too like GMAIL. The difference is Yahoo won't attempt to rewrite sender as GMAIL. In other words, Yahoo is spoofing the sender domain like your scenario above.

Additional Note:

GMAIL suggest that you don't alter sender address when forwarding. Snippet from their support page Best practices for forwarding mail to Gmail

We recommend that you do not change the envelope sender when forwarding email to Gmail. Sometimes, when forwarding email, the envelope sender gets changed to your domain. When this happens, Gmail may learn that your domain is sending spam, and will treat other emails from this domain as spam as well.

Alternatively, changing the envelope sender is ok if you do one of the following:

Put "SPAM" in the subject

OR discard any spam emails and not forward them to Gmail at all.

Thank you for your answer :) Do you know of any tools to verify the address, or do I have to write something myself? — Friend of Kim, Dec 30 '14 at 13:05
Sorry, I don't know any tools for verification :). Both yahoo and gmail write their own script — masegaloeh, Dec 30 '14 at 13:17

Dovecot Sieve allows spoofing through LMTP

1 Answers1

How Big Providers handle email forwarding regarding this spoofing issue?