On 2019-05-13 12:03 BST, [email protected] wrote:
> The hackers forged the from address so our notifications were sent
> to that address instead, and we want to prevent that from happening
> again.
I'm offering the following in the hope that someone will tell me if
it's all wrong...
a) Add a submission-dedicated cleanup server and tell submission to
use it.
master.cf:
cleanup-sub unix n - y - 0 cleanup
-o header_checks=regexp:/etc/postfix/header-checks-on-submission
submission inet n - y - - smtpd
-o cleanup_service_name=cleanup-sub
b) On submission, anything claiming to come from a foreign domain goes
into the HOLD queue.
header-checks-on-submission:
if /^From:/
!/^From:[[:space:]]+.+@example\.com/ HOLD Header-from is spoofed.
endif
c) Configure something to alert you if anything appears in the HOLD
queue, e.g. a cron script that examines 'postqueue' output.
HTH,
--
Nick
