How-to Prevent external sender spoofing to EFA

Questions and answers about how to do stuff
Post Reply
User avatar
shawniverson
Posts: 2737
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

How-to Prevent external sender spoofing to EFA

Post by shawniverson » 21 Oct 2015 21:11

Original topic is here:

viewtopic.php?f=14&t=1237

Many thanks to zohman for his expertise. This is a slightly modified how-to.

(9/3/16 -- Using SPF/DKIM/DMARC in combination may be more suitable for more complex environments!)

This is a rather important thing to do in postfix to prevent...
from: mydomain.tld
to: mydomain.tld
from getting past postfix into your domain because your domain is in the transport and relay maps.

(plan to integrate this into EFA...see issue https://github.com/E-F-A/v3/issues/215)

Note that you may need to take into consideration other external relaying that you want to allow (i.e. legit mobile users)

Step 1

Add the following to /etc/postfix/main.cf:

Code: Select all

smtpd_restriction_classes = external_sender_access, internal_sender_access
internal_sender_access = check_sender_access hash:/etc/postfix/internal_sender_access, reject
external_sender_access = check_sender_access hash:/etc/postfix/external_sender_access, permit
Step 2

Replace the following in /etc/postfix/main.cf. We are basically tossing out /etc/postfix/sender_access in favor of the internal and external variants above to make it more granular.

Change from:

Code: Select all

smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain
Change to:

Code: Select all

smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, check_client_access cidr:/etc/postfix/network_sender_access
Step 3

Create /etc/postfix/network_sender_access. This selects the appropriate sender access list based on originating ip address.

Example:

Code: Select all

# localhost
127.0.0.0/24        internal_sender_access

# Inside Networks
192.168.0.0/16   internal_sender_access
10.0.0.0/8        internal_sender_access
172.16.0.0/12        internal_sender_access

# Everything else
0.0.0.0/0           external_sender_access
Step 4

Create /etc/postfix/internal_sender_access

Example:

Code: Select all

mydomain1.tld OK
mydomain2.tld OK
mydomain3.tld OK
<> OK
(last line is for RFC-821 for empty reverse path support)

Step 5

Create /etc/postfix/external_sender_access

Example:

Code: Select all

mydomain1.tld REJECT 
mydomain2.tld REJECT 
mydomain3.tld REJECT 
Step 6

Postmap everything to build database files

Code: Select all

sudo postmap /etc/postfix/network_sender_access
sudo postmap /etc/postfix/internal_sender_access
sudo postmap /etc/postfix/external_sender_access
Step 7

Restart postfix

Code: Select all

sudo service postfix restart
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

anti-spam
Posts: 36
Joined: 06 Oct 2015 14:32
Contact:

Re: How-to Prevent external sender spoofing to EFA

Post by anti-spam » 22 Oct 2015 11:41

Many thanks for this how to. We applied it and has errors like :

Oct 22 12:43:50 mx2 postfix/smtpd[3429]: NOQUEUE: reject: RCPT from cpanel3.xyz.com[ip.ip.ip.ip]: 554 5.7.1 <cpanel3.xyz.com[ip.ip.ip.ip]>: Client host rejected: Access denied; from=<tester@xyz.com> to=<our@email-address.com> proto=ESMTP helo=<cpanel3.xyz.com>

What we did wrong, was that we used our whole IP range in /etc/postfix/network_sender_access like :

# localhost
127.0.0.0/24 internal_sender_access

# Inside Networks
IP.IP.IP.0/24 internal_sender_access

But, we are a hosting provider, and have some customers with dedicated CPanel shared hostings servers.
All this servers are refused.
Thanks to shawniverson, we found that it's wrong in our case to simply add a ip range.
We deleted the ip range and added ONLY our own CPanel servers, that are under the protection of our EFAs.
Now this howto seems to work like it should. I did the change 1 hour ago, but we receive over 1000 ham emails per hour.
If this is not working like we hope, i will comment this post.
keep the good job shawniverson :clap: :dance:
:arrow: always fighting spams ... :hand:

cowboy6
Posts: 5
Joined: 17 Aug 2016 10:54

Re: How-to Prevent external sender spoofing to EFA

Post by cowboy6 » 22 Feb 2018 13:28

With correct TXT entry inside DNS for your domain (https://www.spfwizard.net/) and enabled SPF checking should be enough to prevent spoofing emails (https://www.howtoforge.com/postfix_spf).

ziain
Posts: 5
Joined: 30 Sep 2017 12:44

Re: How-to Prevent external sender spoofing to EFA

Post by ziain » 27 Sep 2018 09:02

I may be a bit late with this, but when I followed Shawn's instruction above I was unable to receive any emails. I changed the code from:

Code: Select all

smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, check_client_access cidr:/etc/postfix/network_sender_access
to:

Code: Select all

smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access cidr:/etc/postfix/network_sender_access
And mail flowed in ok after that. I don't know if the rules are effective as of yet though.

Post Reply