* Bill Cole <sausers-20150...@billmail.scconsult.com>: > On 27 Nov 2017, at 8:57 (-0500), Ralf Hildebrandt wrote: > > > * Tobi <jahli...@gmx.ch>: > > > ALL_TRUSTED should fire if msg is only transported via trusted > > > hosts, so > > > you can do && !ALL_TRUSTED > > > But would it not be better to not accept such messages in first place > > > and reject them on your border mta? > > > > This is my border MTA. > > One safe & useful tactic is to not accept mail on your border MTA with the > envelope sender in a local domain, and instead have a submission server > (port 587) for local users to submit through. No need for SA.
This is not about envelope, this is about the header. > Hitting on the From *header* and an external source is (as noted by RW) > trickier Exactly. > because traditional mailing list configuration (i.e. pre-DMARC with > 'p=reject') usually preserves the original From header. Even worse are > websites (such as some newspapers) who have "email this page" functions > which require users to provide their email address for use in the From > header. DMARC is likely to erode these senders over time but since the > use of 'p=reject' is not a widespread norm, it will take a while. Putting my rules in place already pointed out several hosts not on our network sending mail as charite.de senders... -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.de Campus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
