in a previous forum discussion about the SMTP smuggling vulnerability @Jerome Deniau demonstrated that you can actually trick Notes by using the "FROM" inside MAIL DATA to fake a sender address (without actually trying to use the explicit vulnerability). So basically: envelope-from is an evil actor with a SPF-valid domain & "FROM" inside MAIL DATA is the mail address e.g. from your internal helpdesk or your CEO. If this mail is received and opened in a Notes client the user will only see the "FROM"-address (which will look like the mail comes from his CEO) and the envelope-from (SMTP-Originator) is not displayed.
I think this is a big security issue. How do you handle this in your environment ? I could think of a custom application that will add "this mail is from external" to the mail but does Domino(v12) offer any tool/configuration for this ?
DMARC provides the solution you are looking for here. DMARC requires alignment of either the SPF authenticated domain in the RFC5321.MailFrom (the SMTP envelope MAIL FROM) and the domain of the RFC5322.From (the From: field in the message data), or the Signing Domain Identifier (SDID) in a DKIM signature verified by the receiving endpoint and the domain of the RFC5322.From.
WRT adding "this mail is from external", Domino 14.0 added this functionality. https://help.hcltechsw.com/domino/14.0.0/admin/enabling_ext_email_notifs.html
sadly this does not work. I have configured DMARC & SPF. Policy is set to "strict". But still: only mailfrom is checked, marked as valid and the mail is sent - please take a look at the screenshot:
As you can see: mailfrom is "jhs@solvito.de" - DATA.From is "noreply@stage.solvitocloud.de". @stage.solvitocloud.de is the receiving domain and @solvito.de the sender. I have used CURL to generate this email - the full script: curl smtp://stage.solvitocloud.de --mail-from jhs@solvito.de --mail-rcpt admin@stage.solvitocloud.de --upload-file email.txt EMail.txt-contents:
From: CEO <noreply@stage.solvitocloud.de> To: Admin <admin@stage.solvitocloud.de> Subject: Meeting Mail
Dear Joe, Welcome to this email. What a lovely day.
And this is how the mail looks like when received by admin@stage.solvitocloud.de:
I understand the scenario you are describing. It is a very common spoofing technique which DMARC is designed to prevent. From the headers (X-TNEFEvaluated), it appears that you are sending the message to Domino. Domino does not currently do DMARC validation of inbound messages, though HCL is planning to do so in a future release.
I do see that DMARC policies are published for solvito.de and solvitocloud.de. I assume this is what you were referring to when you said you configured DMARC?
thank you for that reply. This is the explaination I was looking for.
Yes, this is what I was referring to. In general I just wanted to say "Why is it so easy to trick my Domino and who did already find a good working solution for this ?!". From my understanding the common way atm is to at least mitigate the impact by putting a warning into subject/header that this mail comes from "the internet". This is implemented in Domino v14. I was wondering if you/sb ( @Pramod Chavan ) can confirm that this spoofing-technique does not trick the new "External email notifications"-feature ?
Regarding " though HCL is planning to do so in a future release.": Are you aware of an aha.io-idea I could vote ?
WRT the external email notification feature, the doc states it better than I can, but there are two options.
1. The Domino SMTP server adds a notification to every message it receives. This is the useful option if you know all incoming messages to a particular Domino SMTP server are from external sources.
2. The Domino SMTP server adds a notification once the mail's sender and SMTP reverse-path are determined to be from outside your local internet domains. If either the mail's "From" domain or SMTP reverse-path domain are not domains listed in your Global Domain documents, then the mail is considered external, and the Subject line or message body is updated to include the notification text.
I think the second option answers your question about whether External notifications could be tricked by the spoofing technique. Just be clear, the External Email notifications feature in and of itself is not an anti-spoofing solution, just a means to caution an end user that an email could be spoofed, contain malicious content, etc.
We apologize, however in Domino 12 there is no option available for configuration of such feature. We can configure mentioned setting on the incoming gateway server to add such lines for external incoming mail.
However, in Domino 14 there is new feature added related to security- for External email notification. Please refer below link for more details on this.
Please check and upgrade Domino Server to 14 for enabling the mentioned setting to add required Text or HTML for incoming SMTP mail from external domain.
Which "from"-field will be used to check if the mail comes from external domain ? RFC5321.MailFrom (the SMTP envelope MAIL FROM) or the domain of the RFC5322.From (the From: field in the message data) ? If this is using the envelope-from it will not help in this case
