Domain Mail Security (Important)

th£ lord · Oct 5, 2023

Hello friends.
I've been doing a lot of research for days, but I couldn't fully solve this problem. I would be glad if friends with knowledge on the subject could help.

Problem: There is a security vulnerability with the php mail codes of my own domain, as if they were sent from a different server through my domain. Thus, it looks like the e-mail that I did not send was sent through my domain.

In my research; It is required to have records such as SPF, DKIM, DMARC. I have all the records

Server Infor.. :
Exim 4.96.1
dovecot 2.3.21 (47349e2482)
Server Version 1.653

PHP Code :

<?php
$to = "[email protected]";
$subject = "Password Change";
$txt = "Change your password by visiting here - www.yourdomain.com";
$headers = "From:[email protected]";
echo mail($to,$subject,$txt,$headers);
?>

Server DNS Reccords :

yourdomain.com. 3600 TXT "v=spf1 mx a ip4:1xx.2x.1x.2x -all"
_dmarc 3600 TXT "v=DMARC1;p=reject;sp=reject;pct=100;rua=mailto:dmarc@yourdomain;ruf=mailto:[email protected];ri=86400;aspf=s;adkim=s;fo=1"
x._domainkey 3600 TXT "v=DKIM1; k=rsa; p=MIIBIjAjsodıjweoıuro3248fewş............................................................................xxxxxxxxxxxx........xxx.."

Zhenyapan · Oct 5, 2023

use script with smtp authentication to send emails, only in this case your emails will be signed correctly.

th£ lord · Oct 5, 2023

Zhenyapan said:
use script with smtp authentication to send emails, only in this case your emails will be signed correctly.

We use SMTP, but in this way, by typing the desired domain from different servers with such a code, it appears as if it is sent from that domain. You can also take the code, write your own domain or a different domain, and test it.

Zhenyapan · Oct 5, 2023

it will be described because you add this header, but it will not pass spf/dkim check.

mxroute · Oct 5, 2023

th£ lord said:
We use SMTP, but in this way, by typing the desired domain from different servers with such a code, it appears as if it is sent from that domain. You can also take the code, write your own domain or a different domain, and test it.

If you're concerned that your PHP code allows third parties to spoof senders and use your software to do it, then the answer would be to use more secure PHP code. Don't reinvent the wheel: https://github.com/PHPMailer/PHPMailer

If you're concerned that anyone sending mail at any time can spoof any sender address that they want, you haven't discovered anything new. You're just getting your first peak behind the curtain to see how email works. There's nothing stopping you from sending an email claiming to be from [email protected] right now, from any of your servers, using PHP or anything else. The only security to prevent it would relate to what the recipient server does to protect themselves from receiving spoofed email. This in addition to what measures the domain owner takes to assist with it, with DKIM/SPF/DMARC. If you are concerned that your server is accepting spoofed email, you may want to look into customizing how your SpamAssassin or Rspamd installation works (as well as EasySpamFighter). It's not written in stone that you have to enforce these policies, it's a server owner's choice.

th£ lord · Oct 10, 2023

mxroute said:
If you're concerned that your PHP code allows third parties to spoof senders and use your software to do it, then the answer would be to use more secure PHP code. Don't reinvent the wheel: https://github.com/PHPMailer/PHPMailer

If you're concerned that anyone sending mail at any time can spoof any sender address that they want, you haven't discovered anything new. You're just getting your first peak behind the curtain to see how email works. There's nothing stopping you from sending an email claiming to be from [email protected] right now, from any of your servers, using PHP or anything else. The only security to prevent it would relate to what the recipient server does to protect themselves from receiving spoofed email. This in addition to what measures the domain owner takes to assist with it, with DKIM/SPF/DMARC. If you are concerned that your server is accepting spoofed email, you may want to look into customizing how your SpamAssassin or Rspamd installation works (as well as EasySpamFighter). It's not written in stone that you have to enforce these policies, it's a server owner's choice.

My precious friend.
Of course, I do not use this code in the software. However, if you give me a domain belonging to you, I can send you mail with that code as if it were sent from your email.
I'm asking how we can close the gap here. DKIM SPF DMARC all of these are as they should be.
But some mail servers do not perform these checks, and GMAIL, for example, may send e-mails to others as if they were sent directly from your domain.
This vulnerability cannot be closed, it is in the nature of e-mail. If you can close it, I say let's find a solution.

mxroute · Oct 10, 2023

th£ lord said:
My precious friend.
Of course, I do not use this code in the software. However, if you give me a domain belonging to you, I can send you mail with that code as if it were sent from your email.
I'm asking how we can close the gap here. DKIM SPF DMARC all of these are as they should be.
But some mail servers do not perform these checks, and GMAIL, for example, may send e-mails to others as if they were sent directly from your domain.
This vulnerability cannot be closed, it is in the nature of e-mail. If you can close it, I say let's find a solution.

The solution is to develop a new standard for email and get all of the stakeholders to sign off on it. I don't doubt that you can do it, but you should be aware that the scope of this involves getting support from Google, Microsoft, and a very large surrounding community. People have spent much more time in this matter than you have thus far, many years in fact, and have not been able to gain consensus on a perfect solution to this problem.

Richard G · Oct 24, 2023

mxroute said:
The only security to prevent it would relate to what the recipient server does to protect themselves from receiving spoofed email. This in addition to what measures the domain owner takes to assist with it, with DKIM/SPF/DMARC.

I'm interested in this part. Because indeed it seems sometimes my server is blocking mails because some ip is not allowed to send mail "in behalve of". But when testing with the above script, they don't care, they don't seem to check any strict SPF or DKIM record, not even DMARC.
And I thought it was working fine.
I have Spamassassin running but did not see it starting in the Exim log. In the received mail I don't see any DKIM or SPF check which is odd.

Only when I send to Gmail, then the test directly is moved to the spamfolder with a warning.
But with a strict SPF record of the domains I tested with, it should be blocked to start with, correct?

I already have:
EASY_SPF_FAIL = 100
EASY_DKIM_FAIL = 100
EASY_NO_REVERSE_IP = 100
for example, but this won't work if Exim nore Spamassassin doesn't even check the incoming mail's SPF and DKIM records.
So improval tips are welcome.

Richard G · Oct 24, 2023

Additionally, did another test, and send in a mail coming from my gmail address.
Now this time SPF and DKIM was tested... however... since the headers say it's from my spoofed address and the ip from the spoofed addres, they spf and dkim check took place on the domain it was spoofed from, because you will see that in the headers.
Since they are all allright, it's a pass through without issues. That part seems logic to me.

I just wonder how Gmail manage to see that it was not quite correct, maybe because I used a from domain which also has a DMARC setting.

Domain Mail Security (Important)

th£ lord

Verified User

Zhenyapan

Verified User

th£ lord

Verified User

Zhenyapan

Verified User

mxroute

Verified User

th£ lord

Verified User

mxroute

Verified User

Richard G

Verified User

Richard G

Verified User