sender verification in qmail

Posted on 2009-12-29
Medium Priority
Last Modified: 2013-12-02

I have a mail setup with qmail-1.03 as the MTA, openLDAP 2.2.13 as the authentication server and qmail-scanner 2.01 as the scanner. I have applied "smtp auth" patch for validating all the senders and PBS to check "pop before smtp". The issue I noticed is that in the mail client, if I mention the user name as "USER A", Password as "PasswordOfUserA" and E-mail Address as "USERB@domain.com", the server processes the mail. "FROM" field of this ID is shown as "UserB@domain.com". This means I can authenticate with any user and send Email as another user, which is probably a case of Email ID SPoofing.

Please help me getting this resolved. Attributes used in OpenLDAP:

uid: (user ID)
userPassword: Password of Email Address
mail: E-mail Address

I am not sure if qmail-scanner gets any attribute of the UserName (uid). If so, I can put a condition there to reject mails of UserName and EMail IDs do not compliment each other.

Question by:sujoy_mukh123
  • 3
  • 2
LVL 28

Expert Comment

ID: 26143673
The server is happy to authenticate you. It has no connection with the sender email address. Use SMTP auth instead of POP before SMTP

Author Comment

ID: 26143756
Hi peakpeak,

Isn't it dangerous? I mean that mail E-Mail. Spoofing so easy. Is that the case of all mail servers running on qmail? Or is there any work around?

Also, I don't lnow why Mail Clients have option to specify the Email Address.
Please help.

LVL 28

Expert Comment

ID: 26143785
As soon as you're authenticated to a SMTP mail server you can send as anyone. There's no restriction in the SMTP protocol to enter any sender address, reply-to address etc. The SMTP protocol was not built with security in mind because it was intendet to be used between universities at that time (and no spammers exsisted). Because of the rapid growth of the internet SMTP tagged along until it was so widely spread it was too late to make amendments.

The restrictions you expereince with a client are depending on the client. With Outlook you cannot send as another user unless you've been authorized to do so. With a bare-bone SMTP client (like spammers use) you do not have any such restrictions.

So, yes: With the proper client, spoofing is easy.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 21

Expert Comment

by:Daniel McAllister
ID: 26205675
I think it is important to note here that what sujoy_mukh123 says is true... it is very open to misuse! But that's not something that is unique to QMail about -- the same can be said of Exchange or sendmail MTAs as well!

There have been several attempts to "fix" this... lookup SPF, Sender-ID, & DomainKeys just to name a few!
 - Each has been met with moderate success.

The fact is, though, that we as netizens expect service providers (people running MTAs) to be able to control their authenticated users. If there is abuse, you're supposed to be able to trace back to the MTA "point of origin" and request help from that "postmaster". The sad fact is, though, that this is seldom successful, thus the reason for RBLs (realtime blackhole lists)... which can also be annoying!

BTW: If you would like a QMail installation with MySQL and QMail Scanner backends, try the new & improved QMail Toaster Plus.... http://qtp.qmailtoaster.com. Save yourself all the patching and testing.... it already implements both SPF & Sender-ID, as well as DomainKeys. I believe DKIM should be added soon, too!

Welcome to the world of e-mail.... the "DUCKS" of the Internet (looks all calm, cool, and collected - not to mention, easy - above the surface, but underneath, there's a LOT of action going on!)

LVL 28

Expert Comment

ID: 26205703
First commercial I've seen in EE ... more is coming?
LVL 21

Accepted Solution

Daniel McAllister earned 2000 total points
ID: 26437295

The unfortunate answer is that sujoy_mukh123 cannot have exactly what he wants -- there is no mechanism available in qmail (or sendmail, or postfix, or exchange, ... nor any other MTA that I know of) that will validate the From field in a message against the credentials of the person or system presenting the message.

Once the client connects to the MTA, the "FROM:" field in the message is just a data field -- it can legally contain ANYTHING, although some MTAs will actually insist that it contain (at least somewhere within the field) a validly formatted e-mail address. It is ASSUMED to be the return path to the recipient, but absolutely no checks of that are built into the protocol, nor into most MTA programs.

However, all is NOT lost -- MANY SPAM-filtering client programs (like SPAMASSASSIN or Qmail's SpamDyke) will successfully mark messages whose domain names do not match the sender's IP's reverse DNS as potential SPAM, and mail providers all around the globe are implementing schemes like SPF and DomainKeys to provide recipients with validation capabilities that are not "native" to the SMTP protocol. The "bad" part about these is that they are voluntary, and not nearly as widely used as one would hope.

Even so, there is nothing in the protocol that would stop MelindaG@Microsoft.com from sending messages that say BillG@Microsoft.com in the From field -- which would successfully fool MANY recipients into believing the message really comes from BillG (as in: Bill & Melinda Gates). (In fact, corporate secretaries do this around the globe every second of every day!)

Remember: E-Mail was designed to allow ACADEMICS to pass messages to each other.... and back then, all e-mail USERS had significant computer skills training (either in their past or the present), and so could easily spot "spoof" attempts using the all-too-visible e-mail headers what were NOT hidden from them.

So, long story short: if sujoy_mukh123 needs to "presume the innocence" of his users. Then, when one misbehaves (SPAMs or improperly impersonates someone else), he can punish them appropriately.

Just my thoughts on the matter...


Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question