Quoting Alexandre Ellert <aell...@numeezy.com>:
Hello,
You should have a look at DMARC.
If you announce a reject policy in your DNS and configure opendmarc
milter on your inbound MX, that will do what you want.
Alexandre
_Quoting Andre Luiz Paiz <andre.p...@iqm.unicamp.br>:_
_Quoting DTNX Postmaster <postmas...@dtnx.net>:_
_On 04 Aug 2014, at 19:25, Andre Luiz Paiz <andre.p...@iqm.unicamp.br>
wrote:_
_I´m receiving some e-mails coming from outside with the FROM
pointing to my local domain. This causes confusion on my antispam
tools.
Ex: I received an e-mail from the internet with
webmas...@iqm.unicamp.br (which is my domain) as FROM. How can I make
postfix to accept incoming e-mails from mydomain (iqm.unicamp.br[1])
only if they are sended from my smtp mail servers?
I do not use virtual domains. Single domain only.
CentOS 6.5 with postfix 2.6.6_
_You seem to have a rather extensive SPF record;
==
$ dig +short txt iqm.unicamp.br[1]
"v=spf1 ip4:143.106.51.0/24[2] ip4:143.106.113.190 ip4:143.106.10.1
ip4:143.106.10.154 ip4:206.112.78.3 ip4:143.106.10.12
ip4:143.106.10.159 ip4:143.106.161.133 ip4:186.202.4.42
a:faunus.unicamp.br[3] a:pq.cnpq.br[4] a:uranus.scholarone.com[5] -all"
==
I'd suggest you use that? You've already declared which servers are
allowed to send, so you could use that to weed out any forgeries
coming in from the outside.
Remember to do the SPF check after permitting SASL clients, if you
have any;
http://www.postfix.org/postconf.5.html#permit_sasl_authenticated
Mvg,
Joni
Scanned and tagged with DSPAM 3.10.2 by Instituto de Quimica - Unicamp_
_Dear Joni,
Thanks for your answer.
I use Spamassassin to check SPF records for all external domains,
because it can apply scores to message instead of blocking them. When I
was blocking SPF records with errors, I received a lot of complainings
about false positives.
I also fixed my SPF records. Thanks for that.
What do you suggest that I should do? I permit SASL authenticated only
on the submission port, but some servers in the internal network are
allowed to deliver message in the smtp default port (specified in the
permit my_networks variable).
Is there an alternative?
My submission restrictions in master.cf[6]:
submission inet n - n -
- smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$mydomain
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o
smtpd_recipient_restrictions=$policyd,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_authenticated_sender_login_mismatch,permit_sasl_authenticated,reject
-o smtpd_milters=inet:localhost:8891
-o non_smtpd_milters=inet:localhost:8891
-o disable_vrfy_command=no
Default configuration in main.cf[7]
smtpd_recipient_restrictions =
check_policy_service
inet:127.0.0.1:10031,
permit_mynetworks,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_non_fqdn_helo_hostname,
reject_unknown_client_hostname,
reject_rbl_client zen.spamhaus.org[8],
reject_rbl_client
b.barracudacentral.org[9]_
_Atenciosamente
/André Luiz Paiz/
/Analista de Redes/
/Instituto de Química – Unicamp/
/andre.p...@iqm.unicamp.br/
/Telefone: (19)3521-0197/_
_Good morning,
Does anybody have some tips to help me?
Thanks_
_Atenciosamente
/André Luiz Paiz/
/Analista de Redes/
/Instituto de Química – Unicamp/
/andre.p...@iqm.unicamp.br/
/Telefone: (19)3521-0197/_
_Scanned and tagged with DSPAM 3.10.2 by Instituto de Quimica - Unicamp
!DSPAM:9303,53e0ee6a23585073716799! _
Thanks Alexandre, I will take a look into it.
Links:
------
[1] http://iqm.unicamp.br
[2] http://143.106.51.0/24
[3] http://faunus.unicamp.br
[4] http://pq.cnpq.br
[5] http://uranus.scholarone.com
[6] http://master.cf
[7] http://main.cf
[8] http://zen.spamhaus.org
[9] http://b.barracudacentral.org
Atenciosamente
/André Luiz Paiz/
/Analista de Redes/
/Instituto de Química – Unicamp/
/andre.p...@iqm.unicamp.br/
/Telefone: (19)3521-0197/
