efa-project.org

Afternoon

had a few emails recently that have come through with the senders email as one of ours, is there a way to make it not accept the email if the sender is our domain? as they should only come from our exchange server

Thanks

Yes!
if only you serving your domain no one should allowed to come and claim that he is you.
to do that use smtpd_restriction_classes with Postfix.

add things like this,
in /etc/postfix/main.cf:

smtpd_restriction_classes = external_sender_access, internal_sender_access
internal_sender_access = check_sender_access hash:/etc/postfix/internal_sender_access, reject
external_sender_access = check_sender_access hash:/etc/postfix/external_sender_access, permit

add "check_client_access cidr:/etc/postfix/network_sender_access" to smtpd_sender_restrictions with all other rules you have there.
example:
smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, check_client_access cidr:/etc/postfix/network_sender_access

creating the files:
/etc/postfix/network_sender_access:
(change 192.168.0.0 to your network segment using cidr (/24 /16 etc..))
/etc/postfix/internal_sender_access
with the domains you are serving.. /etc/postfix/external_sender_access: build the db files, run:

postmap /etc/postfix/network_sender_access
postmap /etc/postfix/internal_sender_access
postmap /etc/postfix/external_sender_access

restart postfix:
service postfix restart

Done.

try it from outside, connect..
telnet mail.example.com 25

220 mail.example.com ESMTP Mail Service Ready
helo mail.somehelo.com
250 efa.example.com
mail from: fake@example.com
250 2.1.0 Ok
rcpt to: user@example.com
554 5.7.1 <fake@example.com>: Sender address rejected: Bad MAIL FROM: You're not from here!


Goodluck,
Zohman.

Useful!

Just remember that you may not want to do this if you have valid mobile users that send mail via an external smtp server. This is my case, so I cannot turn it on. Blerg.

Perfect Thanks

Could this be added to the system permanently, the amount of mail im stopping now is huge - over 1000 emails in 1 day

Thanks

pdwalker wrote:Useful!

Just remember that you may not want to do this if you have valid mobile users that send mail via an external smtp server. This is my case, so I cannot turn it on. Blerg.

Hi pdwalker,
you should use it all the time in any case!

if you have external smtp server that send behalf of your sender-domain
to the same recipient-domain on EFA, add the IP to the internal_sender_access inside /etc/postfix/network_sender_access list.

sharktech wrote:Could this be added to the system permanently, the amount of mail im stopping now is huge - over 1000 emails in 1 day

Thanks

Great.
shawniverson should take a note,
anyway if it wont implemented with the upgrade,
just backup postfix config files for the new system.

Regards,
Zohman.

I would, if I knew in advance every possible smtp server they might use in advance, but for a lot of my mobile users, they have to customize their smtp settings for each country they are in. It's annoying. Also, VPNs are frequently blocked to prevent "backdoor" access to the Internet.

Still a useful tip though.

I wonder how much junk is coming is coming in with spoofed domains on my system anyway? I think I'll check.

sharktech wrote:Could this be added to the system permanently, the amount of mail im stopping now is huge - over 1000 emails in 1 day

Thanks

RFC Alert,
OK, there is another thing we need to add..

I notice that EFA wont let bounce messages to get out from Exchange..
after little investigation I saw that Exchange sending those bounces with MAIL FROM: <>
and this is why bounces not taking-off because we close the allowed domains in internal_sender_access
only to example.com so mail from: <> internally is forbidden.

I tried to figure how to change Exchange behavior so it will bounce
the MAIL FROM: envelope as the From: postmaster@example.com header,
on my way to figure it out I found that mail servers are required to support it (RFC 1123 section 5.2.9):

"The syntax shown in RFC-821 for the MAIL FROM: command omits the case
of an empty path: "MAIL FROM: <>" (see RFC-821 Page 15). An empty reverse path MUST be supported."

It’s used primarily for bounce messages, to prevent an endless loop.
When MAIL FROM is used with an empty address (represented as <>),
the receiving server knows not to generate a bounce message if the message is being sent to a non-existent user.

solution to comply the RFC,
just add "<> ok" in the /etc/postfix/internal_sender_access Regards,
Zohman.