On Tue, Apr 11, 2023 at 03:34:09PM -0300, Roberto Carna via Postfix-users wrote:
> But we have realized that if we send messages using another domains > than ourdomain1.com, the messages reach the recipients in Gmail, > Hotmail and other public mail platforms. Perhaps as well considering how to address this, you might also consider whether you're addressing the right problem... When an authorised message is slated to leave your network, the consequences are least signficant when it purports to originate from somebody else's domain. - Many receiving systems are liable to reject a message purporting to originate from an unexpected domain (based on DMARC, ...). - There's little risk of reputational or financial damage if the message does not impersonate a sender in your domain. On the other hand, if the message *is* from your domain, but is an unauthorised message misleading your customers or business partners, ... *then* you have a problem. While Postfix can to some extent enforce envelope to sender mismatches, the real concern is usually the "From:" header, ... whose content is not the MSAs job to enforce. Instead, if you really want to lock down email security on your network, you'll need to: - Accept outbound email only from authenticated *managed* systems. - On each managed system restrict access to email submission to be only via managed MUAs, that ensure that header and envelope addresses are authorised to the user in question at the point of message submission. These are complex goals, and often not worth pursuing, unless the risk exposure is particularly high. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org