On Tue, Apr 11, 2023 at 03:34:09PM -0300, Roberto Carna via Postfix-users wrote:
> But we have realized that if we send messages using another domains
> than ourdomain1.com, the messages reach the recipients in Gmail,
> Hotmail and other public mail platforms.
Perhaps as well considering how to address this, you might also consider
whether you're addressing the right problem...
When an authorised message is slated to leave your network, the
consequences are least signficant when it purports to originate from
somebody else's domain.
- Many receiving systems are liable to reject a message purporting
to originate from an unexpected domain (based on DMARC, ...).
- There's little risk of reputational or financial damage if
the message does not impersonate a sender in your domain.
On the other hand, if the message *is* from your domain, but
is an unauthorised message misleading your customers or business
partners, ... *then* you have a problem.
While Postfix can to some extent enforce envelope to sender mismatches,
the real concern is usually the "From:" header, ... whose content is not
the MSAs job to enforce.
Instead, if you really want to lock down email security on your network,
you'll need to:
- Accept outbound email only from authenticated *managed* systems.
- On each managed system restrict access to email submission to be
only via managed MUAs, that ensure that header and envelope
addresses are authorised to the user in question at the point
of message submission.
These are complex goals, and often not worth pursuing, unless the risk
exposure is particularly high.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
