1 (edited by misieq 2015-06-29 16:22:18)

Topic: How to disable outlook "send as/on behalf" funcionality

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.8.6
- Linux/BSD distribution name and version: RH6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP - Active Directory
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? - no - AD managed
- Related log if you're reporting an issue:
====
Hello,
Outlook has a functionality to send email "on behalf" of someone.
It changes from header.
Is there any way to block it system-wide?
I have sender_login_mismatch enabled but outlook still manages to send email with spoofed header.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: How to disable outlook "send as/on behalf" funcionality

Show us related settings in Postfix main.cf and iRedAPD config file, related Postfix log of this testing email, mail headers of this testing email.

3

Re: How to disable outlook "send as/on behalf" funcionality

ZhangHuangbin wrote:

Show us related settings in Postfix main.cf and iRedAPD config file, related Postfix log of this testing email, mail headers of this testing email.

Sorry I've forgotten to tell It's AD. Basic information about server updated in first post

postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 30720000
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
myhostname = store01-ldap.domain.com
mynetworks = 127.0.0.0/8, 10.4.14.11/32, 10.4.8.130/32, 10.4.3.180/32, 10.11.12.55/32
myorigin = store01-ldap.domain.pl
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
recipient_delimiter = +
relay_domains =
relay_recipient_maps =
relayhost = 10.4.12.11
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = hash:/etc/postfix/sender_bcc
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_fallback_relay = 10.4.12.12
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_security_level = may
smtpd_banner = store01.domain.com ESMTP
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/nazwiska_exception, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/hold, check_client_access hash:/etc/postfix/nazwiska_exception, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = domain.com
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ad_sender_login_maps.cf,      proxy:ldap:/etc/postfix/ad_sender_login_maps_addition.cf,       proxy:ldap:/etc/postfix/ad_sender_login_maps_addition2.cf
smtpd_sender_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/nazwiska_exception, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/pki/tls/certs/RootCA.poczta.mbcib.pl.crt
smtpd_tls_cert_file = /etc/pki/tls/certs/poczta.mbicb.pl.2014.crt
smtpd_tls_key_file = /etc/pki/tls/private/poczta.mbicb.pl.2014.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = regexp:/etc/postfix/transport.regexp
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf,      proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps_addition.cf,    proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps_addition2.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

4

Re: How to disable outlook "send as/on behalf" funcionality

misieq wrote:
ZhangHuangbin wrote:

Show us related settings in Postfix main.cf and iRedAPD config file, related Postfix log of this testing email, mail headers of this testing email.

Sorry I've forgotten to tell It's AD. Basic information about server updated in first post

postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 30720000
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
myhostname = store01-ldap.domain.com
mynetworks = 127.0.0.0/8, 10.4.14.11/32, 10.4.8.130/32, 10.4.3.180/32, 10.11.12.55/32
myorigin = store01-ldap.domain.pl
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
recipient_delimiter = +
relay_domains =
relay_recipient_maps =
relayhost = 10.4.12.11
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = hash:/etc/postfix/sender_bcc
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_fallback_relay = 10.4.12.12
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_security_level = may
smtpd_banner = store01.domain.com ESMTP
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/nazwiska_exception, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/hold, check_client_access hash:/etc/postfix/nazwiska_exception, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = domain.com
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ad_sender_login_maps.cf,      proxy:ldap:/etc/postfix/ad_sender_login_maps_addition.cf,       proxy:ldap:/etc/postfix/ad_sender_login_maps_addition2.cf
smtpd_sender_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/nazwiska_exception, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/pki/tls/certs/RootCA.poczta.mbcib.pl.crt
smtpd_tls_cert_file = /etc/pki/tls/certs/poczta.mbicb.pl.2014.crt
smtpd_tls_key_file = /etc/pki/tls/private/poczta.mbicb.pl.2014.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = regexp:/etc/postfix/transport.regexp
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf,      proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps_addition.cf,    proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps_addition2.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

IRedAPD still applies, this is the policy daemon that will allow you to have the send on behalf of support as you want it,regardless of what you use to manage iredmail, IRedAPD isn't the same as iRedAdmin-Pro

5

Re: How to disable outlook "send as/on behalf" funcionality

I know it applies.
Do you mean iredapd sender_login_mismatch.py plugin?

6

Re: How to disable outlook "send as/on behalf" funcionality

*) The restriction rule 'reject_sender_login_mismatch' in Postfix 'smtpd_sender_restrictions =' should work for you.
*) What's in file /etc/postfix/nazwiska_exception?
*) iRedAPD doesn't work in your case. because it queries OpenLDAP instead of AD.

7 (edited by misieq 2015-06-30 15:47:10)

Re: How to disable outlook "send as/on behalf" funcionality

/etc/postfix/nazwiska_exception is a list of some users who were designated to be able to send as different user... but it as far as I know it never worked the way I wanted to.

reject_sender_login_mismatch works in thunderbird but not in outlook.

To be preciese:
In outlook I need to have set proper e-mail address and login the same as email in account prefferences, but while sending a message I can chhose Options tab then click from and set whatever I want.
It logins to the server with my credentials but spoofs just the header from in message.

The sender field is my legitimate address.
the from is spoofed

8

Re: How to disable outlook "send as/on behalf" funcionality

Could you please try to remove 'reject_sender_login_mismatch' in Postfix, but enable plugin 'reject_sender_login_mismatch' in iRedAPD instead?

You can list all allowed senders in /opt/iredapd/settings.py like this:

ALLOWED_LOGIN_MISMATCH_SENDERS = ['user1@domain.com', 'user2@example.com', 'whole_domain.com']

9

Re: How to disable outlook "send as/on behalf" funcionality

It doesnt' work either

10

Re: How to disable outlook "send as/on behalf" funcionality

Please turn on debug mode in iRedAPD and paste log in /var/log/iredapd.log related to your testing email.
Reference: http://www.iredmail.org/docs/debug.iredapd.html