I received some phishing emails, and the From: header contained ONLY a display name. Like :
From: Timmy Tester
Postfix then delivered the email, but appended its hostname to FIRST PART of the display name / malformed From header. So the recipient got this phish with a from header like :
From: Timmy@mail.example.com
(Where mail.example.com is my legit mail server's FQDN)
So... isn't a spoofed From: header, more like Postfix spoofed the From: header on behalf of the sender/scammer.
Is there a postfix setting to leave the From: header alone, or even better, to set this value to something else to warn recipients?
Ok, the problem as highlighted by michael-hampton :
The setting : remote_header_rewrite_domain is empty currently.
Postfix always rewrites message headers from local SMTP clients and from the Postfix sendmail command, and appends its own domain to incomplete addresses. The local_header_rewrite_clients parameter controls what SMTP clients Postfix considers local (by default, only local network interface addresses).
Postfix never rewrites message header addresses from remote SMTP clients when the remote_header_rewrite_domain parameter value is empty (the default setting).
Otherwise, Postfix rewrites message headers from remote SMTP clients, and appends the remote_header_rewrite_domain value to incomplete addresses. This feature can be used to append a reserved domain such as "domain.invalid", so that incomplete addresses cannot be mistaken for local addresses.
