External mails with spoofed email also signed with DKIM

[avoidik]

I don't know if this problem related to dkim-exchange, but emails from external server with spoofed sender got also signed.

Goto https://www.wormly.com/test_smtp_server and send sample email with fake sender with own domain name (from fake@mydomain.com to my_valid@mydomain.com). Check signature, it's signed.

Nice way to break in with spam or infected attachments.

[Pro]

Jep, that may be a problem.
A solution to this would be to check where the mail comes from, i.e. have a list with trusted sender IPs.
For that it is necessary to add an additional field in the Configurator, since mails may also come from other internal or even external trusted servers and should be signed.

[avoidik]

I think it's question about directions, DKIM agent must sign only outbound emails, not inbound.

[Pro]

The question is if it is possible to get this information within the source code. I need to investigate that further...

[avoidik]

In RoutingAgent we can use mailItem.Message.RootPart.Headers.FindFirst("Received"); to resolve IP and compare with permitted signers. In our case it will be our external IP or it can be another itemlist in GUI as you said above.

[Pro]

@AlexLaroche can you look at this and see if there's a solution? (add it to the new mime_kit branch)

[AlexLaroche]

@avoidik : Can you draw your Exchange architecture (Edge and Hub server, spam filtring, etc.) and what your email traffic is configure to do (who reveice from external, from internal, relay!?, who send from internal, etc.)? I don't need private information, just the architecture to understand how your environnement is setup.

[avoidik]

My environment is Exchange2010 SP3 CU11. Check out idea in pull request.

[gogglespisano]

Should the better fix be to only sign outgoing emails and ignore incoming emails regardless of sender?

[avoidik]

AFAIK it's impossible in RoutingAgent, need to change superclass to something else and rewrite whole agent.

[AlexLaroche]

The real problem isn't the incoming or outgoing emails.

A email server just forward email if it isn't the final destination.

The problem is that permit sender isn't correctly manage for your domain.

Restrict who can send email from your domain name in your organization to your Exchange server/email server (use AUTH).

It's also a good idea to activate SPF.

Check the follow example:

ABC don't want to expose their exchange on the Internet.

XYZ offer email service for their clients.

ABC contact XYZ and ask them if they can fronted Internet for them so al their email traffic will be send from their server.

XYZ accept in exchange of some money.

ABC forward their traffic to XYZ and XYZ will send the traffic to destination.

When XYZ will receive traffic for ABC, XYZ will send the traffic to ABC.

If XYZ receive traffic from traffic HYZ (using domain ABC), XYZ should check and see that only ABC and XYZ can send traffic from ABC domain.

Without DKIM Agent or not, you currently have a infrastructure problem.

The problem isn't the agent.

[AlexLaroche]

Powershell :

# Don't receive from anonymous if it's an authoritative domain
Get-ReceiveConnector “My Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

If you want to use external email service that you use your domain, they will have to implement authentificate email relay : http://geekswithblogs.net/ksellenrode/archive/2014/05/03/156170.aspx