On 24 Apr 2019, at 16:04, Mick wrote:
On 23/04/2019 18:34, Bill Cole wrote:
On 23 Apr 2019, at 11:46, John Peach wrote:
On 4/23/19 11:39 AM, Paul wrote:
Yes I agree with Kevin here, the best solution to this problem is
an spf record set to reject mail from any ip that’s not in your
allowed list of ips for your domain. Forging a from address is very
easy and is one of the main purposes of why spf was created.
There is no need to go to those lengths - assuming that all your own
email is being submitted over port 587, include -o
receive_override_options=no_header_body_checks in the master.cf
entry for submission and use a PCRE header checks file for port 25.
/^From:.*\@example\.com/ REJECT
So you don't want to accept messages you or anyone else in your
domain posts to a mailing list such as this one?
Seems risky...
As per B. Reino's suggestion of header check white list, is there any
reason the following main.cf config should not be used ?
header_checks =
pcre:/etc/postfix/header_checks_pass
pcre:/etc/postfix/header_checks_fail
Yes: it is a generally bad idea to use header_checks to whitelist
anything.
For the details on why, see the documentation in the header_checks man
page and BUILTIN_FILTER_README. If you want *GOOD* filtering, use a
milter or SMTP proxy filter.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
