Hello, You should have a look at DMARC. If you announce a reject policy in your DNS and configure opendmarc milter on your inbound MX, that will do what you want.
Alexandre Quoting Andre Luiz Paiz <andre.p...@iqm.unicamp.br>: Quoting DTNX Postmaster <postmas...@dtnx.net>: On 04 Aug 2014, at 19:25, Andre Luiz Paiz <andre.p...@iqm.unicamp.br> wrote: I´m receiving some e-mails coming from outside with the FROM pointing to my local domain. This causes confusion on my antispam tools. Ex: I received an e-mail from the internet with webmas...@iqm.unicamp.br (which is my domain) as FROM. How can I make postfix to accept incoming e-mails from mydomain (iqm.unicamp.br) only if they are sended from my smtp mail servers? I do not use virtual domains. Single domain only. CentOS 6.5 with postfix 2.6.6 You seem to have a rather extensive SPF record; == $ dig +short txt iqm.unicamp.br "v=spf1 ip4:143.106.51.0/24 ip4:143.106.113.190 ip4:143.106.10.1 ip4:143.106.10.154 ip4:206.112.78.3 ip4:143.106.10.12 ip4:143.106.10.159 ip4:143.106.161.133 ip4:186.202.4.42 a:faunus.unicamp.br a:pq.cnpq.br a: uranus.scholarone.com -all" == I'd suggest you use that? You've already declared which servers are allowed to send, so you could use that to weed out any forgeries coming in from the outside. Remember to do the SPF check after permitting SASL clients, if you have any; http://www.postfix.org/postconf.5.html#permit_sasl_authenticated Mvg, Joni Scanned and tagged with DSPAM 3.10.2 by Instituto de Quimica - Unicamp !DSPAM:1118,53dfc4d423587069865541! Dear Joni, Thanks for your answer. I use Spamassassin to check SPF records for all external domains, because it can apply scores to message instead of blocking them. When I was blocking SPF records with errors, I received a lot of complainings about false positives. I also fixed my SPF records. Thanks for that. What do you suggest that I should do? I permit SASL authenticated only on the submission port, but some servers in the internal network are allowed to deliver message in the smtp default port (specified in the permit my_networks variable). Is there an alternative? My submission restrictions in master.cf: submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$mydomain -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=$policyd,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_authenticated_sender_login_mismatch,permit_sasl_authenticated,reject -o smtpd_milters=inet:localhost:8891 -o non_smtpd_milters=inet:localhost:8891 -o disable_vrfy_command=no Default configuration in main.cf smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_mynetworks, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_unknown_client_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org Atenciosamente *André Luiz Paiz* *Analista de Redes* *Instituto de Química - Unicamp* *andre.p...@iqm.unicamp.br <andre.p...@iqm.unicamp.br>* *Telefone: (19)3521-0197* Good morning, Does anybody have some tips to help me? Thanks Atenciosamente *André Luiz Paiz* *Analista de Redes* *Instituto de Química - Unicamp* *andre.p...@iqm.unicamp.br <andre.p...@iqm.unicamp.br>* *Telefone: (19)3521-0197*
