If the IP address is spoofed, how does firewall rejects it?

In the case of MS Exchange, will implementing something like
SPF (Sender Policy Framework) and Sender ID filtering help?


Sun

no, if postfix see local sender domains on port 25 it should reject it

all else will fail

ips does not mater

Sender-ID is depricated, dont added it, but if you like spf could help
if added to each sender domain carefully

It can also be done with access lists in smtpd_mumble_restrictions:

a Accept (by remote host IP address) ALL your legitimate servers;
b Reject everything else claiming to be one of your servers

EXAMPLE

main.cf:
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:$config_directory/access/own-server_access,
check_helo_access hash:$config_directory/access/helo_access,

own-server_access:
### List *ALL* your own servers by IP address
1.2.3.4 OK
5.6.7.8 OK

helo_access:
### Your *REAL* hosts have already been accepted...
1.2.3.4 reject
5.6.7.8 reject
example.com reject


It works well enough for me...

Allen C

The answer is dependent on your network architecture and what exactly
you mean by "spoofed."

Received headers can be arbitrarily forged, as are the above examples,
BUT since they are added by each MTA handling the message, forgeries are
not hard to detect because they always are below the chronologically
final Received header, added by your own MTA and presumably trustworthy
to the degree of reflecting how your MTA received the message. When a
forgery fails to get the format of a Received header correct (as above)
it is also easily detected.

If you are asking whether an SMTP session can be run over a connection
where the client side is spoofing an IP address, the *general* answer is
NO. IP address spoofing is trivial for UDP-based protocols like DNS
because UDP doesn't depend on the machines involved being able to carry
on a multi-step synchronized reliable conversation. Because SMTP runs on
top of TCP, the initial connection, before any data is exchanged,
requires a 3-packet exchange by which both ends prove that they are
receiving each others' packets correctly. many years ago, it was
possible to spoof that exchange because systems commonly used very
predictable packet sequence numbers, however that flaw was recognized
and corrected in the early 90's. It remains possible to actually hijack
an IP address by compromising the specific routers that handle the path
between the target machine and the hijacker, but that is a non-trivial
project and by its nature prevents normal communication between the
target system and the hijacking victim system (that is: the rightful
holder of the spoofed IP,) so it is hard to hide such a hijack if the
target and victim normally communicate with each other.

A special case where "spoofing" becomes easier for SMTP is when the
spoofed machine and the spoofing target communicate through a firewall
that uses a form of NAT that makes the target see all communications as
coming from an IP held by the firewall. In that case, the security and
proper configuration of the firewall and its neighboring routers is
critical.

Your question is not sufficiently clearly stated.
When "ZZZWVEXC01ZZ.bbb.com.au" is receiving the inbound email, the source
IP address can only be "spoofed" by an "on-path" man-in-the-middle attacker,
able to intercept network packets directed to "10.98.2.87", and thus maintain
a TCP session for the transmission of email.

Absent DNSSEC, the same MITM attacker may be able to forge DNS replies (if
also "on path" between the receiving SMTP server and the nameservers it
uses to resolve "10.in-addr.arpa" and "zzzbank.com.au".

On the other hand, anyone can create a message in which the above "Received:"
headers appear. What a forger can't easily do is ensure that such headers
are the topmost trace headers. When the forger transmits the message, the
nexthop receiving system will record the forger's network address as the
sending system in the topmost trace header. If that origin is not trustworthy,
then you can't believe the validity of any trace headers it sends.

Sorry, let me elaborate a bit :

We plan to have an interim setup where emails sent to us & HQ (in
another country)
has a global format ie ***@xxx.com.

Currently emails sent to our HQ are in the form ***@xxx.com.au & to
us are in
the form ***@xxx.com.nz.

So the plan (which is an interim measure as we'll plan to merge our email server
to HQ's email server/LDAP at a later stage) is :
when there are emails sent to .com that are meant for us (in nz), they
will be sent to
to our HQ's Proofpoint (which scan for malware, spam, rules) before these emails
are being rerouted from our HQ's ProofPoint to our email server via
public Internet
(as we don't have a point to point WAN link with our HQ) without going through
our (nz) ProofPoint.


Our local Proofpoint won't scan for malware, spam, rules for these
forwarded emails
from our HQ's ProofPoint. Our local ProofPoint will only scan for
emails sent to us

Just a last post from me:

is there any chance that a whitelisted IP address (whitelisted on
our local email server for the remote to forward email to us as we
plan to permit Tcp25 incoming for this whitelisted IP while the
rest of the emails have to go to our ProofPoint) could have
been spoofed?

If there's such a possiblity, can list a few URLs/links that
illustrate & explain such spoofing?

I hear conflicting internal suggestions

Yes. Search for "IP address spoofing" in the search engine of your
choice and you will find what you are looking for.

-Ralph

By that standard, we are ruled by a disguised race of alien
lizard-people. (Really, Google it...)

Spoofing the IP address used by a running system for TCP sessions is
*possible* but it requires very specific complex compromises targeting
the network paths between the spoofed system and the system(s) being
targeted by the deception. It requires specific points of vulnerability
which are relatively easy to avoid. It is not the sort of attack that
can be done by any script kiddie with a kit (unlike IP address spoofing
as a component of DDoS and reflection/amplification attacks.) This means
that to assess your actual risk (or determine the likelihood that
spoofing was involved in a specific incident) you need to look at much
more than the technical possibility, you need to weigh the value of the
attack relative to the difficulty of mounting it. That obviously is out
of scope for this or any other public forum, as it has nothing to do
with Postfix and requires specific knowledge of your business that
should probably not be public.

HOWEVER, in general when someone suggests that a Received header in a
piece of email describes an incident of IP spoofing, they are wrong.
This is because it is very rare for IP spoofing to be the simplest or
most likely explanation. For example, since you have 2 systems involved
in a SMTP transaction and the primary records of that are a Received
header and system logs, all an attacker needs to do in order to mimic IP
spoofing is to compromise one system or the other, preferably the SMTP
client. That's likely to be easier for an attacker to execute, harder to
detect in progress, and simpler for an attacker to clean up afterwards
to prevent tracking. In order to conclude that an incident was the
result of IP spoofing one must eliminate the other possibilities such as
client compromise, because it's easier to take over most machines than
it is to impersonate them while they remain online.

And if one wants to remove the potential for IP spoofing of SMTP between
a specific pair of machines across the Internet, this can be done with a
simple encrypted tunnel between them: a trivial degenerate VPN with 2
nodes and strictly controlled access on both ends.

Roger's question was clear. "Is there any chance that a whitelisted IP
address [...] could have been spoofed?". The answer is yes. Based on the
information available, everybody can make up his/her own mind about how
feasible this attack vector is, about the potential value of their
respective IT infrastructure as a target, and about the potential damage
inflicted. For myself and my customers, I don't rely on IP addresses,
but use strong encryption and authentication, as many others here on
this list are likely to do to a similar degree.

In any case, this subject is better suited for a networking related
mailing list then it is for the Postfix ML.

-Ralph

And yet in practice Bill is right. IP spoofing by spammers and virus
authors is not a realistic attack vector. Attackers who can manipulate
BGP routes and mount MiTM attacks on TCP are likely nation-state actors.

IP spoofing is the least of your worries when defending against
sophisticated targeted attacks by nation states.

I'm definitely not on a crusade in this matter. Risk assessment will
vary with each individual organization's requirements. As Postfix offers
excellent means of using both encryption and authentication, I have not
yet come across a situation where relying on IP addresses alone was the
sole option available. Then again, I usually work in environments where
distributing SSL keys in a safe manner is usually not a problem.

-Ralph