I am going through my first steps on VPS management and configuration; been able to install PHP, mySql, phpMyAdmin, postfix, etc ... and migrate a Wordpress from an existing shared server to this VPS.
Sorry for my question being naive, but when testing postfix with the php mail function, I purposely sent the email with a "From" header which was not my own email address (don't worry, nothing serious).
Question is: the email was sent and received in my inbox as if it was sent by somebody else! Is it this easy to send a fake email with php and postfix? (of course, checking email headers reveals the truth).
How can I restrict my VPS from being able to send emails from arbitrary addresses?
Thank you.
The answer is "yes and now": it is easy to "fake" emails, though that actually is not faking at all. Please understand that the "From" and "To" addresses shown inside an email message are part of the messages content. From a technical point of view these addresses have nothing to do with from whom (from which account) that messages has been sent or to whom it is addressed. Those addresses (accounts) are specified on a completely different level.
In addition it is not up to the sending software to decide what is a valid message and what not, in terms of a message being genuine. That obviously would not make sense if you think about it. That is something that either the receiving side or the transmitting side have to make sure, here the email servers, especially the smtp servers accepting and routing messages.
And indeed this is the case: it is a question of your local smtp servers configuration if such a message is accepted for delivery or not. Most likely the message in your test case has been accepted because it originated from within your local network, or what the smtp server considers as your local network. For such messages typically other rules exist compared to routes received "from the outside" and this does make sense.
Further it is a well known fact that it is part of the responsibility of the smtp server administrators to make sure that their servers cannot be missused. The rules used for this are called "relaying rules", all current smtp server implementations offer configuration opions dealing with that issue.
In general you can say that
really "faking" an email is not that easy if you look at the details. If a receiver only looks at superficial details then indeed he can easily be fooled.
email is not at all a secure means of communication, it never has been and it never was meant to be. It is built on trust in general.
the only secure way to make sure that an email has indeed been sent by the party that is claimed as sender inside the message is by using "signed messages", by using a digital signature.
Related
I know there is a great function of Postfix which allows us to forward emails, so, for example, I have a Postfix service running at mydomain.com and I can send important notifications via email to my clients directly from info#mydomain.com. Also, thanks to forwarding functionality, I can RECEIVE letters back to info#mydomain.com and automatically get them forwarded to my full-featured "real" mailbox, for example, my#gmail.com.
It looks great, but there are two things that still need to be solved.
If I limit SMTP listener to 127.0.0.1:smtp, I still can send letters from the code, BUT I can not receive answers anymore. Not sure why. So I have to remove the limitation (but this will allow bad guys to use my Postfix as a spamming route point). Is there any possibility to allow email receive and still leaving SMTP limited to the localhost?
Postfix's forwarding does not work in the real life. Actually, the forwarded letters look like sent from the stranger's email (stranger#strangehost.com for example) and any "real" mail provider recognizes them as spam, because the SPF record in my domain says "allow to send only from mydomain.com" and stranger's emails does not pass this check.
So my big question is: Is it a way to implement a "redirection" of emails (not forwarding) so sender email will become "info#mydomain.com" and gmail.com (or other "real" mailbox) will not kick them?
This has been a massive headache. We use Ning as a our platform for an arts event project. We want to ask our audience to upload photos to our website via an email address. The only issue is that Ning only will give us ridiculous email addresses for this purpose... such as photos34628234896#ourwebsite.com That hardly sticks in the mind!
So I thought, lets just forward emails from an easy to remember email address to the Ning's crazy one... BUT Ning doesn't allow any emails to upload photos if they are detected as being forwarded or redirected. I guess that detection is done through the email header.
So that is why I need a way to redirect an email to another address without that being reflected in the header info in the email. I thought perhaps Outlook receiving the emails from the easy to remember email address, then somehow resending them with a fresh clean header may be the answer? I can code in PHP, and run a home headerless ubuntu server on a domestic internet connection too if that may provide a better answer?
Any thoughts how I could achieve this goal?
If you can forward the email to your server you can have it piped to PHP which can then resend the email for you with whatever email address you wish to be displayed. Just make sure you have things like DomainKeys and SPF records set up for that server or else your chances of the mail being seen as spam will increase.
If you are using an Exchange server, you can use Transport rules to redirect the message, which will pass most forwarding checks. If it does indeed change the headers or something else, you can use the same ruleset to remove or modify them. Most MTAs(Mail Transport) will allow the same sort of functions, but it really depends on which one you use. Postfix is quite flexible.
The changes will be made in
Exchange Management Console
Origanization Configuration
Hub Transport
Transport Rules
Also, and maybe easier, you could simply try to add a secondary delivery address, in the mail flow settings for the fictional user you assign to receive the emails. This would be done in the user properties. Server level forwarding amy not trigger the forwarding blocks that you are encountering, as client forwarding does not work the in entirely the same way. Many clients send the email again, but the server redirects it.
Exchange Management Console
Recipient Configuration
Mailbox
Properties, Mail Flow Settings.
You would enable forwarding in Delivery Options.
Sorry, just noticed that you are using ubuntu, you can simply have postfix redirect the email for you, you will use Postfix Virtual Alias Maps...
Here is a link that describes it perfectly...
http://www.cyberciti.biz/faq/linux-unix-bsd-postfix-forward-email-to-another-account/
First of, let me just say that I know similar questions have been asked
Here
and here
But, there are problems with both questions. Question one has only one answer (which isn't helpful) and question two needs to work with Google Enterprise.
I have a LAMP stack hosted on Linode which hosts multiple sites each with a separate file in the sites-available folder. I have a specific domain which we will call myawesomedomain.com. Now, myawesomedomain.com has nothing in it right now and will not have any proper, full-fledged site. Only a simple form. The fields will consist of:
Username
Email Address
Password
Here's what I want. Whenever a user signs up, an email is automatically created with the username username#myawesomedomain.com. From that point on, whenever email is sent to username#myawesomedomain.com, the email is automatically forwarded to the email the user signed up with so that the email is never stored on my server (and therefore does not take up space).
So, my essential questions are:
How do I automatically create email addresses from PHP
How can I have the emails automatically forwarded to another email address in a MySQL database and not stored on my server.
What mail server should I be using and how should I set it up so it doesn't interfere with the rest of my sites.
Is there anyway that a lack of spam and virus filtering could effect me. As in, if a hacker sends a PHP file to username#myawesomedomain.com, is there any way that my server could be affected.
Whatever else you feel is needed.
I've heard of Postfix but I don't know much about mail servers...
Sorry for the long(?) question and thank you in advance.
edit
Should I put this on ServerFault instead?
The "creating an email alias from php"-part is not a problem. If you're running postfix as a mail server it's as simple as inserting a row into a mysql table.
INSERT INTO myaliastable (pattern, alias) VALUES ("john#myawesomedomain.com","john#example.net")
see:
http://www.postfix.org/MYSQL_README.html
http://www.postfix.org/postconf.5.html#virtual_alias_maps
BUT:
creating a forwarder service like this comes with a lot of problems you should be aware of:
you MUST verify the target email adress before you enable that forwarder(send message, have the recipient click on a link) or spammers will signup accounts and use your system as open relay
you MUST run a very good spamfilter... forwarding spam is no different from sending spam and will get your server blacklisted
if a target server starts rejecting your forwarder for any reason you will be sending backscatter which again can get your server blacklisted
if the sender domain uses SPF records and the target of the forwarder checks SPF, forwarded mail will be rejected. you could add SRS rewrites, which unfortunately is not that simple in postfix
since you state you don't know much about mailservers I would strongly advise to read up on them first, check out best practices on spam prevention and then tackle this project again.
I'm working on a website that allows you to send emails without registering, and without specifying a sender. You enter the recipient's address, subject, body and send. My problem is sending the message. What I'm trying to achieve:
User clicked send -> Subject,recipient,body sent to PHP -> Server validates the information -> Server creates a random email account -> Server sends the email through the random account created -> Server deletes the account
I'm stuck at the random email account creation step. How do I achieve this with PHP without having to pay for my own SMTP server and without having to use my own gmail/hotmail account.
I googl'd the hell out of this issue and I can't find an answer.
Thanks!
BTW
I'm using Apache to "host" on my own Ubuntu
How do I achieve this with PHP without having to pay for my own SMTP server and without having to use my own gmail/hotmail account.
The way to create E-Mail accounts varies wildly from server software to server software, and is usually not possible from within PHP.
Depending on your server's configuration, though, that might not be necessary: If you set up a catch all address for a domain, many server configurations will allow you to send out mails from any E-Mail on that domain (e.g. 123456789#example.com). Any responses will then go to that catch-all mailbox, the contents of which you will probably want to discard.
You have to realize, though, that this is exactly how spam providers operate. Extreme caution is advised if you don't want to end up on all sorts of spam blacklists.
I don't believe you can create accounts or email accounts on a server, using PHP, as this supersedes PHP's permission level. Sending emails this way is a good way to get your server banned, FYI. Also, if you insist on sending emails like this, why not just specify a dummy From: email address? It would essentially be the same thing as creating a dummy account anyhow.
You may also want to use the -f switch, for PHP's mail(). See php.net/manual/en/function.mail.php
I have some problems with the email system for CodeIgniter:
First, the emails I send out (registration, confirmations) are getting caught in standard spam filters in gmail and other mail clients. How do I get around this? How do companies like Facebook get their emails through consistently?
Second, the mailer is working locally but once we deploy it it no longer runs (doesn't send emails) but all the other forms run just fine. Anyone ever run into a problem like this?
Thanks for all the help!
I can't really answer your first question - it's not specific to CodeIgniter. You just need to make sure your email doesn't look like spam. In short - there's no way of guaranteeing your e-mail will not end up in a spam filter.
As for the second question, I expect your production server needs to be configured properly for email. You probably need to configure CodeIgniter to send email properly. I would suggest setting up an SMTP server (or using an existing one) rather than using the standard PHP mail which I think CodeIgniter uses by default.
Regarding spam, most organisations are very secretive about how they prevent spam (not wanting to publish information which helps the spammers) and in some cases they don't actually know - an obvious examlpe of this is bayesian filtering - but, for example, hotmail use a completely unaccountable army of volunteers to manually classify emails.
Do and get a copy of spamassassin and try to reverse engineer how the standard rules work. Obvious things to check are:
1) AVOIDING LOTS OF CAPITALS
2) don't mention the 'V' word
3) make sure you've got a current and restrictive SPF 1.0 policy published
4) make sure your sending from an address which has A and PTR DNS records
5) Do provide a reply-to and from email address which use your domain in the address
the mailer is working locally but once we deploy it it no longer runs
doesn't send emails
Which? These are 2 totally seperate things. If the code is falling over (if so why have you not provided the error details) then its likely a PHP version issue or a problem with the connection to the MTA (or the PHP mail config).
The latter is a problem with the MTA itself.
99.9% of problems reported as PHP mail failures have nothing to do with PHP and are problems with the MTA.
Enabled detailled error reporting for your MTA and see where it is failing.
C.
You may have to configure the email on your server differently than your local development environment. I've had to in the past.
There are two basic ways that PHP can send mail:
Via a UNIX program called "sendmail" (only on non-Windows servers and only if it is installed - check with your hosting provider)
Via a SMTP server.
If you've configured CodeIgniter to use SENDMAIL, check to ensure that the Sendmail path is correct. Your hosting provider usually provides this somewhere in their online documentation.
If you're using SMTP, you need to make sure that your server can contact the SMTP server. You can do this by logging into the server via SSH and typing "telnet your.smtpserver.com 25". If you get an error message about not being able to connect, you know you have a problem with your hosting provider connecting to your mail server.
I've been able to diagnose this problem by enabling logging on my production server (http://bit.ly/4pprd6) and adding log_message('error', $this->email->print_debugger()) right after I attempt to send a message.