Loading ...
Sorry, an error occurred while loading the content.

Re: rejecting forged emails

Expand Messages
  • Drizzt
    ... With restriction classes you can drop this spoofing. Key is to first seperate your own server(s) (e.g. by giving them an OK before this check). Afterwards
    Message 1 of 6 , Apr 1, 2011
    • 0 Attachment
      On 2011-04-01 11:22:04 (-0500), Vernon A. Fort <vfort@...> wrote:
      > I'm trying to find a way to block/reject inbound messages forging our
      > internal email addresses. Meaning their inbound messages using MY email
      > address but there not originating from my server.
      >
      > I cannot seem to find the correct solution. Anyone.
      >
      > Vernon
      >

      With restriction classes you can drop this spoofing.
      Key is to first seperate your own server(s) (e.g. by giving them an OK
      before this check). Afterwards if the sender-domain matches any of your
      domain it must be spoofing (as only external servers reach this check)
      and you can just reject it.
    • Noel Jones
      ... No need for a restriction class. Just blacklist your own domain after permit_mynetworks, permit_sasl_authenticated. Note: this may reject a small amount
      Message 2 of 6 , Apr 1, 2011
      • 0 Attachment
        On 4/1/2011 11:36 AM, Drizzt wrote:
        > On 2011-04-01 11:22:04 (-0500), Vernon A. Fort<vfort@...> wrote:
        >> I'm trying to find a way to block/reject inbound messages forging our
        >> internal email addresses. Meaning their inbound messages using MY email
        >> address but there not originating from my server.
        >>
        >> I cannot seem to find the correct solution. Anyone.
        >>
        >> Vernon
        >>
        >
        > With restriction classes you can drop this spoofing.
        > Key is to first seperate your own server(s) (e.g. by giving them an OK
        > before this check). Afterwards if the sender-domain matches any of your
        > domain it must be spoofing (as only external servers reach this check)
        > and you can just reject it.
        >
        >
        >

        No need for a restriction class. Just blacklist your own
        domain after permit_mynetworks, permit_sasl_authenticated.

        Note: this may reject a small amount of legit mail.

        a quick example:

        # main.cf
        smtpd_recipient_restrictions =
        permit_mynetworks
        # NOTE: remove the next line if not using SASL
        permit_sasl_authenticated
        reject_unauth_destination
        check_sender_access hash:/etc/postfix/sender_access
        ... other local checks ...


        # sender_access
        # replace example.com with your own domain name
        example.com REJECT only authorized senders may use this address


        remember to execute "postfix reload" after editing main.cf.
        remember to execute "postmap sender_access" after editing it.




        -- Noel Jones
      • Vernon A. Fort
        ... This check the envelope sender, correct? The Return-path: is an external address. Its the From: in the message header i am battling with. I assume its a
        Message 3 of 6 , Apr 1, 2011
        • 0 Attachment
          On Fri, 2011-04-01 at 13:17 -0500, Noel Jones wrote:
          > On 4/1/2011 11:36 AM, Drizzt wrote:
          > > On 2011-04-01 11:22:04 (-0500), Vernon A. Fort<vfort@...> wrote:
          > >> I'm trying to find a way to block/reject inbound messages forging our
          > >> internal email addresses. Meaning their inbound messages using MY email
          > >> address but there not originating from my server.
          >
          > a quick example:
          >
          > # main.cf
          > smtpd_recipient_restrictions =
          > permit_mynetworks
          > # NOTE: remove the next line if not using SASL
          > permit_sasl_authenticated
          > reject_unauth_destination
          > check_sender_access hash:/etc/postfix/sender_access
          > ... other local checks ...
          >
          > -- Noel Jones

          This check the envelope sender, correct? The Return-path: is an
          external address. Its the From: in the message header i am battling
          with. I assume its a header_check but it would have to be some for of
          IF <my address> AND NOT received from mynetworks, REJECT.

          its spam and the FROM and TO are identical, i.e. from me and to me.

          Vernon
        • Jerry
          On Fri, 01 Apr 2011 13:33:15 -0500 ... I have used postfwd to alleviate that problem. http://postfwd.org/ -- Jerry ✌ postfix-user@seibercom.net
          Message 4 of 6 , Apr 1, 2011
          • 0 Attachment
            On Fri, 01 Apr 2011 13:33:15 -0500
            Vernon A. Fort <vfort@...> articulated:

            > On Fri, 2011-04-01 at 13:17 -0500, Noel Jones wrote:
            > > On 4/1/2011 11:36 AM, Drizzt wrote:
            > > > On 2011-04-01 11:22:04 (-0500), Vernon A.
            > > > Fort<vfort@...> wrote:
            > > >> I'm trying to find a way to block/reject inbound messages
            > > >> forging our internal email addresses. Meaning their inbound
            > > >> messages using MY email address but there not originating from
            > > >> my server.
            > >
            > > a quick example:
            > >
            > > # main.cf
            > > smtpd_recipient_restrictions =
            > > permit_mynetworks
            > > # NOTE: remove the next line if not using SASL
            > > permit_sasl_authenticated
            > > reject_unauth_destination
            > > check_sender_access hash:/etc/postfix/sender_access
            > > ... other local checks ...
            > >
            > > -- Noel Jones
            >
            > This check the envelope sender, correct? The Return-path: is an
            > external address. Its the From: in the message header i am battling
            > with. I assume its a header_check but it would have to be some for of
            > IF <my address> AND NOT received from mynetworks, REJECT.
            >
            > its spam and the FROM and TO are identical, i.e. from me and to me.

            I have used "postfwd" to alleviate that problem.

            http://postfwd.org/

            --
            Jerry ✌
            postfix-user@...
            _____________________________________________________________________
            TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
            TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
          • Noel Jones
            ... No, checking the From: header will have a very high false positive rate, such as your posts to this and other mail lists. You can use something like that
            Message 5 of 6 , Apr 1, 2011
            • 0 Attachment
              On 4/1/2011 1:33 PM, Vernon A. Fort wrote:
              > On Fri, 2011-04-01 at 13:17 -0500, Noel Jones wrote:
              >> On 4/1/2011 11:36 AM, Drizzt wrote:
              >>> On 2011-04-01 11:22:04 (-0500), Vernon A. Fort<vfort@...> wrote:
              >>>> I'm trying to find a way to block/reject inbound messages forging our
              >>>> internal email addresses. Meaning their inbound messages using MY email
              >>>> address but there not originating from my server.
              >>
              >> a quick example:
              >>
              >> # main.cf
              >> smtpd_recipient_restrictions =
              >> permit_mynetworks
              >> # NOTE: remove the next line if not using SASL
              >> permit_sasl_authenticated
              >> reject_unauth_destination
              >> check_sender_access hash:/etc/postfix/sender_access
              >> ... other local checks ...
              >>
              >> -- Noel Jones
              >
              > This check the envelope sender, correct? The Return-path: is an
              > external address. Its the From: in the message header i am battling
              > with. I assume its a header_check but it would have to be some for of
              > IF<my address> AND NOT received from mynetworks, REJECT.
              >
              > its spam and the FROM and TO are identical, i.e. from me and to me.
              >
              > Vernon
              >

              No, checking the From: header will have a very high false
              positive rate, such as your posts to this and other mail lists.

              You can use something like that in SpamAssassin as a
              low-scoring rule or part of a meta rule that matches other
              spam signs.



              -- Noel Jones
            Your message has been successfully submitted and would be delivered to recipients shortly.