Handling fake own From:

[andreisrr]

Hi,

I have the following configuration:

mailserver	PMG	internet​
domain1 domain2	handles domain1,domain2

Both mailserver and PMG have a public IP.
Mailserver is not allowed to receive connections on port 25 from outside the DMZ.
Mailserver has PMG as smarthost.

PMG is set to relay domain1, domain2.
PMG has transports set to mailserver for both domains.

---

Is there a way to tell PMG to block emails coming from internet with From: header containing domain1 or domain2 regardless of other tests?

 

[MKle]

I would set up Sender Policy Framework (SPF) records up for both domains, allowing only PMG to send for those domains.

 

[Onslow]

That was my first thought as well, but as @andreisrr asked about "From: " (note the colon) header, I believe that SPF won't help, because SPF verifies only "From " (note: without colon) header, i.e. MAIL FROM: address.

To verify (also) "From: " address, one should use also DMARC (possibly together with DKIM).

 

[ivenae]

I have some similar solutions to this.

This rule is designed to detect potential domain spoofing by comparing the visible From header with the SMTP envelope sender (MAIL FROM).

It triggers when an email claims to come from one of the organization’s domains (including subdomains) in the From header, while the actual envelope sender belongs to a different domain. This mismatch is a common indicator of spoofing or unauthorized use of internal domains.

Legitimate internal messages typically have aligned domains in both headers, whereas forged messages often only manipulate the visible From address. By also including subdomains in the check, the rule closes a common gap that could otherwise be abused for SPF-aligned spoofing.

Basic safeguards (e.g., excluding empty envelope senders used in bounces) help reduce false positives, but the rule should still be combined with SPF (Use SPF in PMG must be activated), DKIM, and DMARC evaluation for more reliable detection.

Put this into /etc/mail/spamassassin/custom.cf

header   __FROM_IN_TRANSP_DOM      From =~ /\@([a-z0-9-]+\.)*(my\-domain\.de|my\-domain\.com)$/i
header   __ENVFROM_IN_TRANSP_DOM   EnvelopeFrom =~ /\@([a-z0-9-]+\.)*(my\-domain\.de|my\-domain\.com)$/i
meta     SPOOFED_FROM (__FROM_IN_TRANSP_DOM && !__ENVFROM_IN_TRANSP_DOM && ENVFROM !~ /^<>$/)
score    SPOOFED_FROM 30.0
describe SPOOFED_FROM Transport domain (incl. subdomains) in From but not in EnvelopeFrom

 

[andreisrr]

Indeed, I am looking to blocked forged headers.
The solution presented by @ivenae is interesting, with the following caveats:

- if I am reading this right, the regex will match both user@domain.com and user@host.domain.com which is the general case. Since I only handle email for user@domain.com I assume I can omit this part of the regex: ([a-z0-9-]+\.)*

- by my understanding so far, this is a generic solution at SpamAssassin level, that takes into account email headers but does not take into account topology (see my initial description).
Is there any way to tie such rules or other solution, that would validate the correct From: with the pairs "relay domain" and "host" under Configuration->Mail proxy->Transports? (as the solution which takes into account topology also?)

Notes:

• domain has SPF records containing the IP addresses of PMG and the actual email server, with ~all at this time.
• domain has DKIM signing performed by PMG. Messages from the email server it relays are not signed.
• domain has DMARC in report only configuration (p=none) at this time.