> @lbutlr wrote: > > a wrote: > > > However, an outside network can still identify as a local email > > > account to send into my network, making imposters possible. > > > > Do not allow connections on port 25 that claim to be from your domains. > > > > (I think this works still): > > Yes. It works. > > > smtpd_helo_restrictions = reject_invalid_helo_hostname > > check_helo_access pcre:/etc/postfix/helo_checks.pcre > > permit > > > > helo_checks.pcre: > > /kreme\.com$/ REJECT helo Mail to AND from local domains not allowed > from external servers. > > I do a slight variation on this that I think is slightly better. > Instead of pcre tables I use hash tables. Which should be slightly more > efficient. And won't suffer from common substring matches such as > hitting by accident on goodkreme.com or otherkreme.com or > krispykreme.com and so forth. :-) > > My /etc/postfix/helo-access file: > # Reject anybody that HELO's as being in our own domains. > # Since this occurs after permit_mynetworks this does not > # reject local clients. > proulx.com REJECT You are not proulx.com. > > # Somebody HELO'ing as 'localhost'? Won't hit because localhost is > not a FQDN. > # Should not hit here but if that is allowed then it will be rejected > here. > localhost REJECT You are not localhost. > > # Somebody HELO'ing as our IP address? Yes those occur too. > 96.88.95.61 REJECT You are not 96.88.95.61 > # IPv6 address too. Although IPv6 is otherwise blocked here. > 2601:1:9c81:cd00:3a60:77ff:fecd:b399 REJECT You are not > 2601:1:9c81:cd00:3a60:77ff:fecd:b399 > > Then the usual "postmap helo-access" to create the "helo-access.db" file. > > A snippet of my config: > smtpd_recipient_restrictions = > ... > check_helo_access hash:/etc/postfix/helo-access, > ... > > The entire list of smtpd recipient restrictions is all part of a good > anti-spam configuration. If you are interested in that list ask again > and I am sure there will be many suggestions for a good setup. > > > Or setup spf, which is what I’ve done. > > Usually SPF protects other people from forgeries of your own network. > But unless you are hard blocking on SPF of your own domain then this > will not block forgery attacks spoofing your own network. And hard > blocking on SPF is problematic due to the nature of often broken > systems which would cause loss of mail. Better to use SPF as part of > a scoring system. Then by itself it is unlikely to be a problem at > the inevitiable cases where things are broken. > > HTH! > Bob >
Thank you Bob & @lbutlr, worked perfectly! I did the hash method. This line worked with the hash db populated to suite my domain per what Bob said: smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo-access permit
