> @lbutlr wrote: >> > a wrote: >> > > However, an outside network can still identify as a local email >> > > account to send into my network, making imposters possible. >> > >> > Do not allow connections on port 25 that claim to be from your domains. >> > >> > (I think this works still): >> >> Yes. It works. >> >> > smtpd_helo_restrictions = reject_invalid_helo_hostname >> > check_helo_access pcre:/etc/postfix/helo_checks.pcre >> > permit >> > >> > helo_checks.pcre: >> > /kreme\.com$/ REJECT helo Mail to AND from local domains not allowed >> from external servers. >> >> I do a slight variation on this that I think is slightly better. >> Instead of pcre tables I use hash tables. Which should be slightly more >> efficient. And won't suffer from common substring matches such as >> hitting by accident on goodkreme.com or otherkreme.com or >> krispykreme.com and so forth. :-) >> >> My /etc/postfix/helo-access file: >> # Reject anybody that HELO's as being in our own domains. >> # Since this occurs after permit_mynetworks this does not >> # reject local clients. >> proulx.com REJECT You are not proulx.com. >> >> # Somebody HELO'ing as 'localhost'? Won't hit because localhost is >> not a FQDN. >> # Should not hit here but if that is allowed then it will be rejected >> here. >> localhost REJECT You are not localhost. >> >> # Somebody HELO'ing as our IP address? Yes those occur too. >> 96.88.95.61 REJECT You are not 96.88.95.61 >> # IPv6 address too. Although IPv6 is otherwise blocked here. >> 2601:1:9c81:cd00:3a60:77ff:fecd:b399 REJECT You are not >> 2601:1:9c81:cd00:3a60:77ff:fecd:b399 >> >> Then the usual "postmap helo-access" to create the "helo-access.db" file. >> >> A snippet of my config: >> smtpd_recipient_restrictions = >> ... >> check_helo_access hash:/etc/postfix/helo-access, >> ... >> >> The entire list of smtpd recipient restrictions is all part of a good >> anti-spam configuration. If you are interested in that list ask again >> and I am sure there will be many suggestions for a good setup. >> >> > Or setup spf, which is what I’ve done. >> >> Usually SPF protects other people from forgeries of your own network. >> But unless you are hard blocking on SPF of your own domain then this >> will not block forgery attacks spoofing your own network. And hard >> blocking on SPF is problematic due to the nature of often broken >> systems which would cause loss of mail. Better to use SPF as part of >> a scoring system. Then by itself it is unlikely to be a problem at >> the inevitiable cases where things are broken. >> >> HTH! >> Bob >> > > Thank you Bob & @lbutlr, worked perfectly! > > I did the hash method. > > This line worked with the hash db populated to suite my domain per what > Bob said: > > smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo-access > permit >
phishing and fraudulent usage of domain - method to prevent some masking Sorry, I forgot to put in here for a search term for others looking for this in the future that it could be a good tool to prevent phishing and other fraudulent usage of domain. I did eventually find something on some forums online, but these user groups are great. Thanks everyone again!
