Author Topic: X-Envelope-From and From different  (Read 2650 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
X-Envelope-From and From different
« on: January 14, 2022, 09:47:20 AM »
Today I received one email where fields "X-Envelope-From" and "From" field are different,
client is confused because he is deceived that email was sent from his coworker on the same domain from e***d.com domain.

The sender wants to intentionally confuse the recipient from whom it was sent, because the server accepts email from X-Envelope-From and the client on the email client application see only From as sender which is actually not true.

My question is,
what service on Centos Webpanel should remove or just mark this mail as SPAM or as deceiving email.
Maybe Spamassasin or Postfix?

Where to configure to check incoming emails for valid SPF, DKIM, DMARC?

I do not have installed on server:
"AntiSpam/AntiVirus (recommended): ClamAV, Amavis & Spamassassin, Requires 2Gb+ RAM"



Thank you.


Header of this email:
Code: [Select]
Return-Path: <carola.scheffel@mydkt.com>
Delivered-To: vt@e***d.com
Received: from srv.m***r.com
    by srv.m***r.com with LMTP id uO/ALc4q4WGVWAAAoUtXVA
    for <vt@e***d.com>; Fri, 14 Jan 2022 08:48:30 +0100
Received: from mta1dc6.protectedservice.net (mta1dc6.protectedservice.net [194.1.166.173])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by srv.m***r.com (Postfix) with ESMTPS id B4422A405AB
    for <vt@e***d.com>; Fri, 14 Jan 2022 08:48:30 +0100 (CET)
X-Envelope-From: carola.scheffel@mydkt.com
X-Hid: 5c2eeee9-750e-11ec-bd20-00163e218517
Received: from zimbra-mbox25dc1.protectedservice.net (ec2-3-9-3-218.eu-west-2.compute.amazonaws.com [3.9.3.218])
    by smtp.protectedservice.net (Halon) with ESMTPS
    id 5c2eeee9-750e-11ec-bd20-00163e218517;
    Fri, 14 Jan 2022 07:48:27 +0000 (GMT)
Received: from zimbra-mbox25dc1.protectedservice.net (localhost [127.0.0.1])
    by zimbra-mbox25dc1.protectedservice.net (Postfix) with ESMTP id B83D7470F25
    for <vt@e***d.com>; Fri, 14 Jan 2022 07:48:27 +0000 (UTC)
Date: Fri, 14 Jan 2022 07:48:27 +0000 (UTC)
From: RS <rs@e***d.com>
Reply-To: office.mobilemail7@gmail.com
To: vt@e***d.com
Message-ID: <84477814.4167090.1642146507695.JavaMail.zimbra@mydkt.com>
Subject: =?utf-8?Q?Payment?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailer: Zimbra 8.8.15_GA_4018 (ZimbraWebClient - GC96 (Win)/8.8.15_GA_4026)
Thread-Index: YFWfkK3jx1TTazTDLfBNMsQQSbIiiQ==
Thread-Topic: =?utf-8?Q?Payment?=
« Last Edit: January 14, 2022, 10:19:40 AM by idovecer »

Offline
***
Re: X-Envelope-From and From different
« Reply #1 on: January 14, 2022, 09:14:58 PM »
It may be that you have a specific E-mail where the sender is trying to confuse the recipient, but this cannot be concluded from E-mail senders. Me, for example, use it this way, X-Envelope-From is different from Mime-From, for the same domain, for historical and convenience reasons, and they are absolutely legitimate E-mails.

=>Envelope From (RFC5321)
Used by the SMTP server to generate NDR (Non-Delivery Report)
Used by SPF filter to determine if it came from the designated IP address.

=>Mime Header From (RFC5322)
Used by the email client to display information in the From field.
Used by DMARC filter to confirm if the message is authentic

Also, there are many legitimate reasons for the envelope sender and the From header not to match.
Rejecting mails based on that is not a good idea.

Anyway, if you need, you must implement through DKIM and DMARC policies.
Check this page to do it, and know the notices:
https://support.google.com/a/answer/10032169?hl=en