Roman Medina-Heigl Hernandez wrote:
Hello,
Spammers often send (forged) mail where "mail from" address is the same as
"rcpt to" address. An extension of that could be using a "mail from"
address where src domain is one of our valid virtual domains. I can only
think of 3 cases:
1) Src IP is 127.0.0.1 -> Mail should pass (eg: sent by webmail, installed
on the same MTA host).
2) Authenticated sender -> Legit users authenticated by SASL -> Should pass
3) All the rest -> Should be rejected (SPAM) (assuming a simple single-MTA
config, where MX -receiving mail server- is the same as MTA -outbound
sending mail server-)
Which is the best/preferred Postfix config to filter out that kind of spam?
I have all my valid domains in:
virtual_mailbox_domains = hash:/etc/postfix/vdomain
The current format of /etc/postfix/vdomain is:
domain1 whatever
domain2 whatever
So perhaps I could do somthing like:
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
XXXXX,
permit
where XXXX could be some kind of "check_sender_access" clausule, rejecting
domains listed in $virtual_mailbox_domains. How could I implement this? Is
there any other preferred solution?
Yes, you can use a map for this;
XXXX above =
check_sender_access hash:/etc/postfix/mydomains
# mydomains
example.com REJECT inside sender not allowed
example.net REJECT inside sender not allowed
...
Note this will reject some legit mail. Spamassassin is
probably a better choice for filtering this type mail.
Another idea could be setting a SPF record for my domains and then some
kind of SPF checks (how could I do that?). I know it is a must but I'd
prefer to leave the SPF setup for the next stage (I'd like to deeply review
all pros/cons, ~all vs ?all, etc).
Yes, SPF will help this, but if you reject mail that fails SPF
checks you will have the same false positives as the above
solution.
Adding SPF to your domain is simply publishing a couple extra
DNS records, very simple to add.
http://www.openspf.org/
Checking SPF records in postfix requires a policy service.
There are several for postfix listed under
http://www.openspf.org/Implementations#mta-extensions
Also, if you have a recent version of postfix you can use any
milter that supports SPF. Many of them have additional features.
--
Noel Jones
