From fdf38a9d8cdaddbdc61aff512febd0353fbc5c3f Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Thu, 30 Apr 2026 11:47:18 -0400
Subject: [PATCH] feat(smtp_relay): add upstream_sender to fix SPF on probe
 forwarding

Override the envelope MAIL FROM with a domain we own when talking to the
upstream relay. SPF passes at the recipient; the attacker's From: header
inside the message body is untouched so they see their own address in their
inbox and believe the relay is real.
---
 decnet/services/smtp_relay.py   |  9 +++++++++
 decnet/templates/smtp/server.py | 20 ++++++++++++++------
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/decnet/services/smtp_relay.py b/decnet/services/smtp_relay.py
index c4ec5423..77d379ae 100644
--- a/decnet/services/smtp_relay.py
+++ b/decnet/services/smtp_relay.py
@@ -60,6 +60,13 @@ class SMTPRelayService(BaseService):
             type="string",
             help="AUTH password for the upstream relay (optional).",
         ),
+        ServiceConfigField(
+            key="upstream_sender",
+            label="Upstream envelope sender",
+            type="string",
+            placeholder="probe@yourdomain.com",
+            help="Envelope MAIL FROM used when talking to the upstream relay. Set this to an address your server is authorised to send from so SPF passes at the recipient. The attacker's From: header inside the message is untouched.",
+        ),
         ServiceConfigField(
             key="probe_limit",
             label="Probe forward limit",
@@ -103,6 +110,8 @@ class SMTPRelayService(BaseService):
             fragment["environment"]["SMTP_UPSTREAM_USER"] = cfg["upstream_user"]
         if "upstream_pass" in cfg:
             fragment["environment"]["SMTP_UPSTREAM_PASS"] = cfg["upstream_pass"]
+        if "upstream_sender" in cfg:
+            fragment["environment"]["SMTP_UPSTREAM_SENDER"] = cfg["upstream_sender"]
         if "probe_limit" in cfg:
             fragment["environment"]["SMTP_PROBE_LIMIT"] = str(cfg["probe_limit"])
         return fragment
diff --git a/decnet/templates/smtp/server.py b/decnet/templates/smtp/server.py
index 03060b16..b9e38af2 100644
--- a/decnet/templates/smtp/server.py
+++ b/decnet/templates/smtp/server.py
@@ -52,11 +52,17 @@ OPEN_RELAY  = os.environ.get("SMTP_OPEN_RELAY", "0").strip() == "1"
 # messages per source IP are actually delivered via this upstream so the
 # attacker can verify receipt and proceeds to run their campaign. All subsequent
 # messages get 250 OK but only land in quarantine.
-_UPSTREAM_HOST = os.environ.get("SMTP_UPSTREAM_HOST", "").strip()
-_UPSTREAM_PORT = int(os.environ.get("SMTP_UPSTREAM_PORT", "25"))
-_UPSTREAM_USER = os.environ.get("SMTP_UPSTREAM_USER", "").strip()
-_UPSTREAM_PASS = os.environ.get("SMTP_UPSTREAM_PASS", "").strip()
-_PROBE_LIMIT   = int(os.environ.get("SMTP_PROBE_LIMIT", "1"))
+_UPSTREAM_HOST   = os.environ.get("SMTP_UPSTREAM_HOST", "").strip()
+_UPSTREAM_PORT   = int(os.environ.get("SMTP_UPSTREAM_PORT", "25"))
+_UPSTREAM_USER   = os.environ.get("SMTP_UPSTREAM_USER", "").strip()
+_UPSTREAM_PASS   = os.environ.get("SMTP_UPSTREAM_PASS", "").strip()
+# Envelope MAIL FROM used when talking to the upstream. Overriding this to a
+# domain we own makes SPF pass at the recipient — the attacker's From: header
+# inside the message body is untouched, so they see their own address in their
+# inbox and verify the relay works. Without this, SPF for the attacker's domain
+# fails on our IP and the probe lands in spam or gets rejected outright.
+_UPSTREAM_SENDER = os.environ.get("SMTP_UPSTREAM_SENDER", "").strip()
+_PROBE_LIMIT     = int(os.environ.get("SMTP_PROBE_LIMIT", "1"))
 
 # Per-source-IP count of messages that have been actually forwarded upstream.
 # Bounded at _IP_COUNT_MAX entries to avoid unbounded growth over long runs.
@@ -100,6 +106,7 @@ def _forward_probe_sync(
     rcpt_to: list[str],
     body: bytes,
     msg_id: str,
+    envelope_from: str = "",
 ) -> bool:
     """Forward a probe email to the real upstream relay (blocking, runs in thread pool).
 
@@ -111,7 +118,7 @@ def _forward_probe_sync(
             conn.ehlo(NODE_NAME)
             if _UPSTREAM_USER and _UPSTREAM_PASS:
                 conn.login(_UPSTREAM_USER, _UPSTREAM_PASS)
-            conn.sendmail(mail_from, rcpt_to, body)
+            conn.sendmail(envelope_from or mail_from, rcpt_to, body)
         return True
     except Exception:
         return False
@@ -326,6 +333,7 @@ class SMTPProtocol(asyncio.Protocol):
                     fut = asyncio.get_event_loop().run_in_executor(
                         _forward_pool, _forward_probe_sync,
                         _fwd_from, _fwd_rcpt, _fwd_body, _fwd_id,
+                        _UPSTREAM_SENDER,
                     )
                     fut.add_done_callback(_on_fwd_done)
                 # Persist the full .eml into the quarantine bind mount