postfix-users April 2011 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: rejecting forged emails

Re: rejecting forged emails

From: Noel Jones <njones_at_nospam>
Date: Fri Apr 01 2011 - 18:17:26 GMT
To: postfix-users@postfix.org

On 4/1/2011 11:36 AM, Drizzt wrote:
> On 2011-04-01 11:22:04 (-0500), Vernon A. Fort<vfort@provident-solutions.com> wrote:
>> I'm trying to find a way to block/reject inbound messages forging our
>> internal email addresses. Meaning their inbound messages using MY email
>> address but there not originating from my server.
>>
>> I cannot seem to find the correct solution. Anyone.
>>
>> Vernon
>>
>
> With restriction classes you can drop this spoofing.
> Key is to first seperate your own server(s) (e.g. by giving them an OK
> before this check). Afterwards if the sender-domain matches any of your
> domain it must be spoofing (as only external servers reach this check)
> and you can just reject it.
>
>
>

No need for a restriction class. Just blacklist your own
domain after permit_mynetworks, permit_sasl_authenticated.

Note: this may reject a small amount of legit mail.

a quick example:

# main.cf
smtpd_recipient_restrictions =
   permit_mynetworks
# NOTE: remove the next line if not using SASL
   permit_sasl_authenticated
   reject_unauth_destination
   check_sender_access hash:/etc/postfix/sender_access
   ... other local checks ...

# sender_access
# replace example.com with your own domain name
example.com REJECT only authorized senders may use this address

remember to execute "postfix reload" after editing main.cf.
remember to execute "postmap sender_access" after editing it.

   -- Noel Jones