Quoting DTNX Postmaster <postmas...@dtnx.net>:
On 04 Aug 2014, at 19:25, Andre Luiz Paiz <andre.p...@iqm.unicamp.br>
wrote:
I´m receiving some e-mails coming from outside with the FROM pointing
to my local domain. This causes confusion on my antispam tools.
Ex: I received an e-mail from the internet with
webmas...@iqm.unicamp.br (which is my domain) as FROM. How can I make
postfix to accept incoming e-mails from mydomain (iqm.unicamp.br) only
if they are sended from my smtp mail servers?
I do not use virtual domains. Single domain only.
CentOS 6.5 with postfix 2.6.6
You seem to have a rather extensive SPF record;
==
$ dig +short txt iqm.unicamp.br
"v=spf1 ip4:143.106.51.0/24 ip4:143.106.113.190 ip4:143.106.10.1
ip4:143.106.10.154 ip4:206.112.78.3 ip4:143.106.10.12 ip4:143.106.10.159
ip4:143.106.161.133 ip4:186.202.4.42 a:faunus.unicamp.br a:pq.cnpq.br
a:uranus.scholarone.com -all"
==
I'd suggest you use that? You've already declared which servers are
allowed to send, so you could use that to weed out any forgeries coming
in from the outside.
Remember to do the SPF check after permitting SASL clients, if you have
any;
http://www.postfix.org/postconf.5.html#permit_sasl_authenticated
Mvg,
Joni
Scanned and tagged with DSPAM 3.10.2 by Instituto de Quimica - Unicamp
!DSPAM:1118,53dfc4d423587069865541!
Dear Joni,
Thanks for your answer.
I use Spamassassin to check SPF records for all external domains, because
it can apply scores to message instead of blocking them. When I was
blocking SPF records with errors, I received a lot of complainings about
false positives.
I also fixed my SPF records. Thanks for that.
What do you suggest that I should do? I permit SASL authenticated only on
the submission port, but some servers in the internal network are allowed
to deliver message in the smtp default port (specified in the permit
my_networks variable).
Is there an alternative?
My submission restrictions in master.cf:
submission inet n - n -
- smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$mydomain
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o
smtpd_recipient_restrictions=$policyd,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_authenticated_sender_login_mismatch,permit_sasl_authenticated,reject
-o smtpd_milters=inet:localhost:8891
-o non_smtpd_milters=inet:localhost:8891
-o disable_vrfy_command=no
Default configuration in main.cf
smtpd_recipient_restrictions =
check_policy_service inet:127.0.0.1:10031,
permit_mynetworks,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_non_fqdn_helo_hostname,
reject_unknown_client_hostname,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client b.barracudacentral.org
Atenciosamente
/André Luiz Paiz/
/Analista de Redes/
/Instituto de Química – Unicamp/
/andre.p...@iqm.unicamp.br/
/Telefone: (19)3521-0197/
