One more problem I spotted while having this situation is that SPF checking is not done automagically for subdomains. I learn something new everyday.
You have domain.tld and SPF setup with -all If your FQDN is mail.domain.tld, there will be no SPF check for it in case of spoofing. To counter this, add the following extra in your DNS setup: mx.domain.tld. IN TXT "v=spf1 a -all" mail.domain.tld. IN TXT "v=spf1 a -all" smtp, etc Now, even if you do not have the check_recipient_access / mail.domain.tld REJECT REASON in Postfix, you will be protected by SPF in case of weird spoof attacks. Hope it will help someone -- View this message in context: http://postfix.1071664.n5.nabble.com/Strange-spoof-problem-tp62897p62899.html Sent from the Postfix Users mailing list archive at Nabble.com.
