On Wed, 29 Jul 2009, Matthew D. Fuller wrote: > On Wed, Jul 29, 2009 at 03:03:43PM +0100 I heard the voice of > Clunk Werclick, and lo! it spake thus: > > > > My apologies for the terse caveat. As I understand it, there are > > some external mail services that roaming users may use that forward > > mail into your Postfix claiming to be from your domain. Myself I do > > not use this. > > The problem doesn't come from what you use, but from what any of your > users may somewhere use. > > Imagine you are example.com, and have two users, a...@example.com, and > b...@example.com. a...@example.com sends mail to b...@someother.domain (which > you don't control, and know nothing about, short of looking up its MX > record and sending the mail on its way). But b...@someother.domain is > just a forwarder and forwards the mail on to b...@example.com. That > forwarder won't (and quite probably _shouldn't_) change the envelope > sender. Suddenly, you have mail from "outside", with an envelope > sender that's you, but is perfectly legitimate. And pretty common.
Much less common is a...@example.org sending to a...@someother.domain which forwards back to a...@example.org. The OP might consider blocking messages where both envelope sender and recipient == f...@example.org when originating from an untrusted source. -- Sahil Tandon <sa...@tandon.net>
