Post by Ralph Seichter
is there any chance that a whitelisted IP address [...] could have
Yes. Search for "IP address spoofing" in the search engine of your
choice and you will find what you are looking for.
By that standard, we are ruled by a disguised race of alien
lizard-people. (Really, Google it...)
Spoofing the IP address used by a running system for TCP sessions is
*possible* but it requires very specific complex compromises targeting
the network paths between the spoofed system and the system(s) being
targeted by the deception. It requires specific points of vulnerability
which are relatively easy to avoid. It is not the sort of attack that
can be done by any script kiddie with a kit (unlike IP address spoofing
as a component of DDoS and reflection/amplification attacks.) This means
that to assess your actual risk (or determine the likelihood that
spoofing was involved in a specific incident) you need to look at much
more than the technical possibility, you need to weigh the value of the
attack relative to the difficulty of mounting it. That obviously is out
of scope for this or any other public forum, as it has nothing to do
with Postfix and requires specific knowledge of your business that
should probably not be public.
HOWEVER, in general when someone suggests that a Received header in a
piece of email describes an incident of IP spoofing, they are wrong.
This is because it is very rare for IP spoofing to be the simplest or
most likely explanation. For example, since you have 2 systems involved
in a SMTP transaction and the primary records of that are a Received
header and system logs, all an attacker needs to do in order to mimic IP
spoofing is to compromise one system or the other, preferably the SMTP
client. That's likely to be easier for an attacker to execute, harder to
detect in progress, and simpler for an attacker to clean up afterwards
to prevent tracking. In order to conclude that an incident was the
result of IP spoofing one must eliminate the other possibilities such as
client compromise, because it's easier to take over most machines than
it is to impersonate them while they remain online.
And if one wants to remove the potential for IP spoofing of SMTP between
a specific pair of machines across the Internet, this can be done with a
simple encrypted tunnel between them: a trivial degenerate VPN with 2
nodes and strictly controlled access on both ends.