0

So I have a small Linux webserver, it is running the Direct Admin control panel and everything is working fine. For each domain, SPF and DKIM records are present in the DNS and mail is (as far as I know) never flagged as spam, perfect.

Now I have a friend who wants to spoof his emails from his website. It is a small 'share this page' widget where people enter a to and a from email and they get sent.

The problem I am facing is that the mails in Gmail are delivered with the text someuser@gmail.com via my.server.fqdn. The fact that Gmail shows the via is not a problem per sé, I understand this is to prevent spoofing and unfortunately this is apparently needed to keep the internet 'save'. But can I change the server listed in the via to my friends domain name?

Can I change Gmail's someuser@gmail.com via my.server.fqdn to someuser@gmail.com via domain-on-same-server.com? (I'd like to change this for this domain only, and obviously not alter my exim configuration to change the server names etc.)

TLDR;

In below screenshot from Google support I want to rewrite example.com to be mydomain.com

enter image description here

Neograph734
  • 101
  • 1
  • 1
  • 10
  • Take a look at these article, I think based on what you're doing, you're going to have this issue: [Contact Form Nightmare](https://www.unlocktheinbox.com/resources/dmarccontactus/). – Henry Jun 25 '16 at 20:06
  • @henry, thanks for sharing. This is what we are currently doing, but we prefer not for people to see a (real) side admin address, and we also do not want to use a no-reply address since you can reply thanks to the reply-to header. We are just looking for prettier options. – Neograph734 Jun 26 '16 at 08:41

2 Answers2

0

In short - you can't.

Other server always know IP-address of the host connected to it. Then it perform domain lookup to know what is the hostname of that IP address. While A DNS records can be multiple, PTR record is single, and you can't spoof it for some specific server over the net.

The only way to remove mentions of the via-server is to configure receiving server not to mention it.

Kondybas
  • 6,864
  • 2
  • 19
  • 24
  • Not really what I was hoping for, but I somehow already expected it might not be possible. I'll try to solve this by creating email forwarders for the users so they can mail from the 'correct' domain. Thanks for the answer. – Neograph734 Jun 25 '16 at 09:45
  • So you'll get that forwarders in the via-headers instead of domain you want. – Kondybas Jun 25 '16 at 10:08
  • That domain of the forwarder is present in the SPF record and resolves to the current server. So I would not be getting any via-header right? – Neograph734 Jun 25 '16 at 10:12
  • How they can be resolved to the current server? Receiving server see an IP address and look for `PTR` record that is always points to the one and only one domain: `111.222.333.444 --> some.domain.tld`. Lookups for forwarders will return their domains and there is no way to get `friend.tld` without his IP-address. – Kondybas Jun 25 '16 at 10:20
  • The current situation is that `From: bob@gmail.com` checks with gmail and does not see my ip as allowed sender in the `SPF` record. As a result of that, the [`via` is shown next to the senders address](https://support.google.com/mail/answer/1311182?hl=en) (just to be sure, I am not talking about mail headers). So if I host a website `friend.tld` and create a forwarder for `bob-gmail@friend.tld` and use that as the `from` header. It will see `friend.tld` as the sending domain, it passes the `SPF` check, and then the local mailserver will forward the mail to bob's gmail. Right? – Neograph734 Jun 25 '16 at 10:30
  • Nope. The only way to get `from friend.tld` instead of `via my.server.tld` is to submit the message from the host whos IP have `PTR` record with `friend.tld` domain. All the other approaches will ends up with `via`. – Kondybas Jun 25 '16 at 10:53
0

It appears that Google simply displays the domain found in the Return-Path and uses that.

This DirectAdmin help page explained that Exim, by default, sets the return path to user@server.hostname.com when the mail is sent form a script.

The solution is to change exim.conf to include the following snippet:

untrusted_set_sender = *
no_local_from_check

This makes sure Exim takes the Return Path the user defined in the mail headers.

More specifically, the Exim documentation explains:

When a message is submitted locally (that is, not over a TCP/IP connection) by an untrusted user, Exim removes any existing Sender: header line, and checks that the From: header line matches the login of the calling user and the domain specified by qualify_domain.

Note: An unqualified address (no domain) in the From: header in a locally submitted message is automatically qualified by Exim, unless the -bnq command line option is used.

You can use local_from_prefix and local_from_suffix to permit affixes on the local part. If the From: header line does not match, Exim adds a Sender: header with an address constructed from the calling user’s login and the default qualify domain.

If local_from_check is set false, the From: header check is disabled, and no Sender: header is ever added. If, in addition, you want to retain Sender: header lines supplied by untrusted users, you must also set local_sender_retain to be true.

These options affect only the header lines in the message. The envelope sender is still forced to be the login id at the qualify domain unless untrusted_set_sender permits the user to supply an envelope sender.

So, by setting the Return-Path header to someuser@mydomain.com. Gmail now displays the sender as someotheruser@hotmail.com via mydomain.com.

Neograph734
  • 101
  • 1
  • 1
  • 10