feat(smtp_relay): add upstream_sender to fix SPF on probe forwarding

Override the envelope MAIL FROM with a domain we own when talking to the upstream relay. SPF passes at the recipient; the attacker's From: header inside the message body is untouched so they see their own address in their inbox and believe the relay is real.
2026-04-30 11:47:18 -04:00
parent 24cdef9246
commit fdf38a9d8c
2 changed files with 23 additions and 6 deletions
--- a/decnet/services/smtp_relay.py
+++ b/decnet/services/smtp_relay.py
@@ -60,6 +60,13 @@ class SMTPRelayService(BaseService):
            type="string",
            help="AUTH password for the upstream relay (optional).",
        ),
+        ServiceConfigField(
+            key="upstream_sender",
+            label="Upstream envelope sender",
+            type="string",
+            placeholder="probe@yourdomain.com",
+            help="Envelope MAIL FROM used when talking to the upstream relay. Set this to an address your server is authorised to send from so SPF passes at the recipient. The attacker's From: header inside the message is untouched.",
+        ),
        ServiceConfigField(
            key="probe_limit",
            label="Probe forward limit",
@@ -103,6 +110,8 @@ class SMTPRelayService(BaseService):
            fragment["environment"]["SMTP_UPSTREAM_USER"] = cfg["upstream_user"]
        if "upstream_pass" in cfg:
            fragment["environment"]["SMTP_UPSTREAM_PASS"] = cfg["upstream_pass"]
+        if "upstream_sender" in cfg:
+            fragment["environment"]["SMTP_UPSTREAM_SENDER"] = cfg["upstream_sender"]
        if "probe_limit" in cfg:
            fragment["environment"]["SMTP_PROBE_LIMIT"] = str(cfg["probe_limit"])
        return fragment