spoofed domain emails coming through
spoofed domain emails coming through
Afternoon
had a few emails recently that have come through with the senders email as one of ours, is there a way to make it not accept the email if the sender is our domain? as they should only come from our exchange server
Thanks
			
			
									
						
										
						had a few emails recently that have come through with the senders email as one of ours, is there a way to make it not accept the email if the sender is our domain? as they should only come from our exchange server
Thanks
Re: spoofed domain emails coming through
Yes!
if only you serving your domain no one should allowed to come and claim that he is you.
to do that use smtpd_restriction_classes with Postfix.
add things like this,
in /etc/postfix/main.cf:
smtpd_restriction_classes = external_sender_access, internal_sender_access
internal_sender_access = check_sender_access hash:/etc/postfix/internal_sender_access, reject
external_sender_access = check_sender_access hash:/etc/postfix/external_sender_access, permit
add "check_client_access cidr:/etc/postfix/network_sender_access" to smtpd_sender_restrictions with all other rules you have there.
example:
smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, check_client_access cidr:/etc/postfix/network_sender_access
creating the files:
/etc/postfix/network_sender_access:
(change 192.168.0.0 to your network segment using cidr (/24 /16 etc..))
/etc/postfix/internal_sender_access
with the domains you are serving..
/etc/postfix/external_sender_access:
build the db files, run:
postmap /etc/postfix/network_sender_access
postmap /etc/postfix/internal_sender_access
postmap /etc/postfix/external_sender_access
restart postfix:
service postfix restart
Done.
try it from outside, connect..
telnet mail.example.com 25
220 mail.example.com ESMTP Mail Service Ready
helo mail.somehelo.com
250 efa.example.com
mail from: fake@example.com
250 2.1.0 Ok
rcpt to: user@example.com
554 5.7.1 <fake@example.com>: Sender address rejected: Bad MAIL FROM: You're not from here!
Goodluck,
Zohman.
			
			
									
						
										
						if only you serving your domain no one should allowed to come and claim that he is you.
to do that use smtpd_restriction_classes with Postfix.
add things like this,
in /etc/postfix/main.cf:
smtpd_restriction_classes = external_sender_access, internal_sender_access
internal_sender_access = check_sender_access hash:/etc/postfix/internal_sender_access, reject
external_sender_access = check_sender_access hash:/etc/postfix/external_sender_access, permit
add "check_client_access cidr:/etc/postfix/network_sender_access" to smtpd_sender_restrictions with all other rules you have there.
example:
smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, check_client_access cidr:/etc/postfix/network_sender_access
creating the files:
/etc/postfix/network_sender_access:
(change 192.168.0.0 to your network segment using cidr (/24 /16 etc..))
Code: Select all
# localhost
127.0.0.0/24        internal_sender_access
# Inside Networks
192.168.0.0/24       internal_sender_access
# Everything else
0.0.0.0/0           external_sender_access
with the domains you are serving..
Code: Select all
example.com OK
Code: Select all
example.com REJECT Bad MAIL FROM: You're not from here!
postmap /etc/postfix/network_sender_access
postmap /etc/postfix/internal_sender_access
postmap /etc/postfix/external_sender_access
restart postfix:
service postfix restart
Done.
try it from outside, connect..
telnet mail.example.com 25
220 mail.example.com ESMTP Mail Service Ready
helo mail.somehelo.com
250 efa.example.com
mail from: fake@example.com
250 2.1.0 Ok
rcpt to: user@example.com
554 5.7.1 <fake@example.com>: Sender address rejected: Bad MAIL FROM: You're not from here!
Goodluck,
Zohman.
Re: spoofed domain emails coming through
Useful!
Just remember that you may not want to do this if you have valid mobile users that send mail via an external smtp server. This is my case, so I cannot turn it on. Blerg.
			
			
									
						
										
						Just remember that you may not want to do this if you have valid mobile users that send mail via an external smtp server. This is my case, so I cannot turn it on. Blerg.
Re: spoofed domain emails coming through
Perfect Thanks
			
			
									
						
										
						Re: spoofed domain emails coming through
Could this be added to the system permanently, the amount of mail im stopping now is huge - over 1000 emails in 1 day
Thanks
			
			
									
						
										
						Thanks
Re: spoofed domain emails coming through
Hi pdwalker,pdwalker wrote:Useful!
Just remember that you may not want to do this if you have valid mobile users that send mail via an external smtp server. This is my case, so I cannot turn it on. Blerg.
you should use it all the time in any case!
if you have external smtp server that send behalf of your sender-domain
to the same recipient-domain on EFA, add the IP to the internal_sender_access inside /etc/postfix/network_sender_access list.
Code: Select all
# localhost
127.0.0.0/24        internal_sender_access
# Inside Networks
192.168.0.0/24          internal_sender_access
82.92.223.14             internal_sender_access  	# External SMTP Example
212.111.154.9/27          internal_sender_access             # Pool of External SMTPs Examples
# Everything else
0.0.0.0/0           external_sender_access
Great.sharktech wrote:Could this be added to the system permanently, the amount of mail im stopping now is huge - over 1000 emails in 1 day
Thanks
 
 shawniverson should take a note,
anyway if it wont implemented with the upgrade,
just backup postfix config files for the new system.
Regards,
Zohman.
Re: spoofed domain emails coming through
I would, if I knew in advance every possible smtp server they might use in advance, but for a lot of my mobile users, they have to customize their smtp settings for each country they are in. It's annoying. Also, VPNs are frequently blocked to prevent "backdoor" access to the Internet. 
Still a useful tip though.
I wonder how much junk is coming is coming in with spoofed domains on my system anyway? I think I'll check.
			
			
									
						
										
						Still a useful tip though.
I wonder how much junk is coming is coming in with spoofed domains on my system anyway? I think I'll check.
Re: spoofed domain emails coming through
RFC Alert,sharktech wrote:Could this be added to the system permanently, the amount of mail im stopping now is huge - over 1000 emails in 1 day
Thanks
OK, there is another thing we need to add..

I notice that EFA wont let bounce messages to get out from Exchange..
after little investigation I saw that Exchange sending those bounces with MAIL FROM: <>
and this is why bounces not taking-off because we close the allowed domains in internal_sender_access
only to example.com so mail from: <> internally is forbidden.
I tried to figure how to change Exchange behavior so it will bounce
the MAIL FROM: envelope as the From: postmaster@example.com header,
on my way to figure it out I found that mail servers are required to support it (RFC 1123 section 5.2.9):
"The syntax shown in RFC-821 for the MAIL FROM: command omits the case
of an empty path: "MAIL FROM: <>" (see RFC-821 Page 15). An empty reverse path MUST be supported."
It’s used primarily for bounce messages, to prevent an endless loop.
When MAIL FROM is used with an empty address (represented as <>),
the receiving server knows not to generate a bounce message if the message is being sent to a non-existent user.
solution to comply the RFC,
just add "<> ok" in the /etc/postfix/internal_sender_access
Code: Select all
example.com		OK
<>		                OK
Zohman.
- shawniverson
- Posts: 3783
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
- shawniverson
- Posts: 3783
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:

