On Fri, Mar 22, 2019 at 9:46 PM Bill Cole
<postfixlists-070...@billmail.scconsult.com> wrote:
>
> On 22 Mar 2019, at 19:19, Christian Schmitz wrote:
>
> > Hi everyone:
> > I have a small mail server with fewer emails account, The server is:
> > Opensuse/Postfix/apache
> >
> > Today i receive a pishing email Words more or less say that i was
> > hacked, that
> > he know my passwords blah blah blah and i must pay on bit_coins. The
> > email
> > content is 100% pishing and no real hacking because sevral reasons:
> > list@XXX was only created for mailing lists and no other usage
> > I have not webcam
> > The hacker not used SASL to get real use of my account.
> > For forums/website registrations i use mailinator.com
> >
> > The curious is that email seem at first time writed from me to
> > myself. If my
> > email is list@xxx the emails say to be list@xxx
> >
> > So i start a little investigation on LOG file, and all seem that the
> > "hacker"
> > do not know the passwords. Because the emailer has no SASL
> > autenticated, so
> > the "hacker"simply spoof the FROM field:
> >
> > 1)First question: how i can filter the spoofed emails. In other words,
> > if the
> > sender is not authorized to send list@xxx because this emai is managed
> > by ME
>
> Do not accept mail claiming to be from any address in a local domain on
> the port 25 (smtp) smtpd service. Only accept such mail via port 587
> (submission) and 465 (smtps) services configured to require
> authentication.
>
> >
> > 2)Seccond question :how i can adjust the sender policy to block soft
> > fail SPF?
>
> That would be a very dangerous thing to do. SPF 'soft fail' is not
> intended to be used that way and it is used instead of 'hard fail'
> because the domain owner does NOT want receivers to reject non-passing
> messages absolutely.
>
> Postfix itself does not directly support SPF. Whatever you are using for
> SPF checking would be an external tool: a policy daemon, smtp proxy
> filter, or milter. The log entries you posted are too mangled for me to
> recognize what tool you are using to check SPF.
>
I would add that spamassassin does not seem to have much of a
problem catching that
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Available For Hire: https://linkedin.com/in/billcole
