MacShane, Tracy pisze:
-----Original Message-----
From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of itsramesh_s
Sent: Friday, 6 February 2009 4:25 PM
To: postfix-users@postfix.org
Subject: Sender-Recipient forged mail
Hi,
I have configured postfix postfix-2.4.5-2.fc8. all mail user are
getting forged mails as sender and recipient are same. we have
secondary mx i am sending both postconf output,
Please help me to stop forged mail.
Postconf -n of primary MTA
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_pipelining,
reject_unknown_recipient_domain, reject_non_fqdn_sender,
reject_unauth_destination
You could do with a whole lot more smtpd restrictions, such as
reject_non_fqdn_recipient, reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname, reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname (or
reject_unknown_client_hostname, but this tends to give a lot of false
positives due to admins who can't configure DNS properly,
unfortunately).
If all your senders are sending from hosts in mynetworks, then the
easiest method is to do "check_sender_access
hash:/etc/postfix/sender_access" after reject_unauth_destination (and
permit_mynetworks, of course), where /etc/postfix/sender_access is as
follows:
mydomain.com REJECT Mail from our senders must come from our
hosts
Well,
I'd change this part (from primary MX):
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination, permit_mx_backup
by adding
check_sender_access hash:/etc/postfix/sender_access
after permit_mx_backup
Contents also like Tracy wrote.
Of course while you are allowing mail from authenticated users and
my_networks, it should allow all your users to send mail (not only from
my_networks but also authenticated users from "outside").
Good idea is to take benefit from RBLs, like zen.spamhaus.org.
I also get good results with checking addresses whether they contain FQDN.
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
right after permit_sasl_authenticated and permit_mynetworks
And you could simplify your config. Ex. it's no use to have
permit_sasl_authenticated in sender_restrictions if you have it in
recipient_restrictions.
Probably the clearest way is to combine all rules from sender and
recipient restrictions in smtp_recipient_restrictions - you'll have very
good view of order of rules.
Pawel
