Initial situation:
To avoid spoofing without negatively influencing the Microsoft proxy rule ("send on behalf" see also Key Used With The Microsoft Delegation Rule) within the Managed domain, the domain part of the email addresses of the envelope sender and the From header are to be compared. If the sender domains are not identical, the email should be rejected.
The function Reject incoming mails with spoofed sender domain preventing processing of internal mails cannot be used in conjunction with Office 365 due to a Managed Service Provider installation, or does not provide the desired protection.
Question:
How is the comparison of the sender domains present in Envolope and Header to be realised?
Answer:
In the aforementioned constellation, this can be done via the Custom commands For incoming emails BEFORE decryption with the following code:
Line |
Code |
|---|---|
01 |
# Begin: Prevent from spoofing, especially in O365 environments |
|
|
02 |
log(1,'compare envelope-sender-domain with from-header-domain'); |
03 |
setheader('x-header-from','$header_from'); |
04 |
compare('x-header-from','substitute','.*@'); |
05 |
getheader('x-header-from','header_from_domain'); |
06 |
setheader('x-envelope-sender','$from'); |
07 |
compare('x-envelope-sender','substitute','.*@'); |
08 |
getheader('x-envelope-sender','envelope_sender_domain'); |
09 |
if (!compareattr('header_from_domain_raw','equal','$envelope_sender_domain_raw')) { |
10 |
log(1,'...but sender-domain in envelope and header is not identic, dropping'); |
11 |
drop('554','5.7.1 Relay access denied'); |
12 |
} |
|
|
13 |
# End: Prevent from spoofing, especially in O365 environments |
