Join Log in
Score:0
dma_k avatar Server

How to configure postfix to reject emails which are pretended to be send from myhostname?

ug flag
dma_k

Suppose the Postfix mail service is serving domain @mycompany.com. Local network is 192.168.10.0/24. The attacker from Internet sends an email pretending it originates from @mycompany.com:

Received: from mycompany.com (unknown [37.139.129.8])
    by mycompany.com (Postfix) with ESMTP id 967DB396B598
    for <[email protected]>; Mon, 14 Aug 2023 19:36:39 +0200 (CEST)
From: [email protected]
To: [email protected]

Is there any option to reject email that has From: *@mycompany.com and does not originate from mynetworks (192.168.10.0/24)? I would think about adding

/^From: .*@mycompany\.com/ REJECT Invalid sender address

to /etc/postfix/header_checks but that will block all such emails irrespective the source IP while the intention is to allow clients from mynetworks.

Any further ideas or suggestions are welcome.

35
1 + 0
Score:4
avatar Server
jp flag
Esa Jokinen

The need for doing this suggests you are not implementing the existing email spoofing controls that would protect your domain from abuse globally, and that you are using the same smtpd instance for inbound & outbound mail.

The proper solution for this would include:

  1. Deploying DKIM & SPF.
  2. Deploying a DMARC policy with p=reject.
  3. Configuring OpenDMARC on the host for rejecting inbound, forged mail.
  4. Using a separate smtpd instance as a submissions (smtps) for outbound mail.

If you started from the #4, you could already use the header_checks as you suggest, but that would became unnecessary after you are finished with #1, #2 & #3.

Protecting the envelope sender from spoofing would be possible by allowing mail from trusted IP addresses and then rejecting the sender domain for the rest.

A solution with hash: (Berkeley DB) table type:

smtpd_recipient_restrictions =
    . . .
    permit_mynetworks,
    check_sender_access hash:/etc/postfix/access/sender_access,
    permit

And in the /etc/postfix/access/sender_access:

example.com  550 YOU ARE NOT ME.

This requires running postmap /etc/postfix/access/sender_access after modifications!

Another solution requires the Postfix PCRE Support, but is more flexible, as it enables, e.g., blacklisting entire TLDs.

smtpd_recipient_restrictions =
    . . .
    permit_mynetworks,
    check_sender_access pcre:/etc/postfix/access/sender_access,
    permit

And in the /etc/postfix/access/sender_access:

/example\.com$/  550 YOU ARE NOT ME.
/\.loan$/        550 .loan? no thanks, we have money.
+ 3
dma_k avatar
ug flag
dma_k
Thanks. I have checked that solution also works with standard BDB map `check_sender_access hash:/etc/postfix/access/sender_access` with more simple content `mycompany.com 550 ...` – why do you suggest PRCE?
0
Reply
dma_k avatar
ug flag
dma_k
And I believe one can't use `$myhostname` variable in map file (supposed to be substituted)...
0
Reply
jp flag
Esa Jokinen
I've added both variants.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.