How-to Prevent external sender spoofing to EFA
Posted: 21 Oct 2015 21:11
Original topic is here:
viewtopic.php?f=14&t=1237
Many thanks to zohman for his expertise. This is a slightly modified how-to.
(9/3/16 -- Using SPF/DKIM/DMARC in combination may be more suitable for more complex environments!)
This is a rather important thing to do in postfix to prevent...
(plan to integrate this into EFA...see issue https://github.com/E-F-A/v3/issues/215)
Note that you may need to take into consideration other external relaying that you want to allow (i.e. legit mobile users)
Step 1
Add the following to /etc/postfix/main.cf:
Step 2
Replace the following in /etc/postfix/main.cf. We are basically tossing out /etc/postfix/sender_access in favor of the internal and external variants above to make it more granular.
Change from:
Change to:
Step 3
Create /etc/postfix/network_sender_access. This selects the appropriate sender access list based on originating ip address.
Example:
Step 4
Create /etc/postfix/internal_sender_access
Example:
(last line is for RFC-821 for empty reverse path support)
Step 5
Create /etc/postfix/external_sender_access
Example:
Step 6
Postmap everything to build database files
Step 7
Restart postfix
viewtopic.php?f=14&t=1237
Many thanks to zohman for his expertise. This is a slightly modified how-to.
(9/3/16 -- Using SPF/DKIM/DMARC in combination may be more suitable for more complex environments!)
This is a rather important thing to do in postfix to prevent...
from getting past postfix into your domain because your domain is in the transport and relay maps.from: mydomain.tld
to: mydomain.tld
(plan to integrate this into EFA...see issue https://github.com/E-F-A/v3/issues/215)
Note that you may need to take into consideration other external relaying that you want to allow (i.e. legit mobile users)
Step 1
Add the following to /etc/postfix/main.cf:
Code: Select all
smtpd_restriction_classes = external_sender_access, internal_sender_access
internal_sender_access = check_sender_access hash:/etc/postfix/internal_sender_access, reject
external_sender_access = check_sender_access hash:/etc/postfix/external_sender_access, permit
Replace the following in /etc/postfix/main.cf. We are basically tossing out /etc/postfix/sender_access in favor of the internal and external variants above to make it more granular.
Change from:
Code: Select all
smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain
Code: Select all
smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, check_client_access cidr:/etc/postfix/network_sender_access
Create /etc/postfix/network_sender_access. This selects the appropriate sender access list based on originating ip address.
Example:
Code: Select all
# localhost
127.0.0.0/24 internal_sender_access
# Inside Networks
192.168.0.0/16 internal_sender_access
10.0.0.0/8 internal_sender_access
172.16.0.0/12 internal_sender_access
# Everything else
0.0.0.0/0 external_sender_access
Create /etc/postfix/internal_sender_access
Example:
Code: Select all
mydomain1.tld OK
mydomain2.tld OK
mydomain3.tld OK
<> OK
Step 5
Create /etc/postfix/external_sender_access
Example:
Code: Select all
mydomain1.tld REJECT
mydomain2.tld REJECT
mydomain3.tld REJECT
Postmap everything to build database files
Code: Select all
sudo postmap /etc/postfix/network_sender_access
sudo postmap /etc/postfix/internal_sender_access
sudo postmap /etc/postfix/external_sender_access
Restart postfix
Code: Select all
sudo service postfix restart