Hi,
I'm struggling with trying to determine for sure if my domain is
protected from spoofing (and backscatter) attacks. I'm also working on
building an SPF record, but would like to do what I can with postfix first.
It is my understanding that SPF will block based on invalid
envelope-sender, not the "From:" address, which is what I'm trying to
achieve here.
It's also my understanding that this is done through the use of
check_helo_access, correct?
This mail server is an Internet relay (postfix-2.10.5 on fedora) which
forwards mail to an internal Exchange system. The Exchange system is
responsible for all outbound mail. The only mail being sent from this
relay system is to the Exchange system, and bounces or other
undeliverable messages.
At one point I had a helo_checks file defined that contained something like:
example.com REJECT You are not my domain
but I was hesitant because I wasn't sure it was correct and wasn't sure
of all the hosts in the domain that could be sending mail through this
relay.
In my helo_checks file I have only my IP and a few others that were
improperly being rejected:
64.11.22.55 OK
123.222.8.40 OK
I also have a helo_checks.pcre file that contains:
/./ reject_invalid_helo_hostname
I'm confused, and hope someone could help me understand what I might be
missing. I've included my postconf output below.
Is my configuration currently blocking all attempts at sending mail
"From" my domain without having originated from servers within my domain?
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_mail_to_files = alias,forward
always_bcc = bcc-user
biff = no
body_checks = regexp:/etc/postfix/body_checks.pcre
bounce_queue_lifetime = 1d
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
default_process_limit = 200
delay_warning_time = 4h
disable_vrfy_command = yes
fallback_relay =
header_checks = pcre:/etc/postfix/header_checks.pcre
pcre:/etc/postfix/header_checks-jimsun.pcre
html_directory = no
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 2d
message_size_limit = 24000000
mime_header_checks = pcre:/etc/postfix/mime_header_checks
mydestination = $myhostname, localhost.$mydomain
mydomain = example.com
myhostname = mail01.example.com
mynetworks = 127.0.0.0/8, 192.168.1.0/24, 64.11.22.0/27
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8
dnsbl.sorbs.net=127.0.0.10*8 b.barracudacentral.org*7
dnsbl.sorbs.net=127.0.0.5*6 mykey.zen.dq.spamhaus.net=127.0.0.[4..7]*6
bl.mailspike.net*4 bl.spamcop.net*4
bl.spameatingmonkey.net*4 mykey.zen.dq.spamhaus.net=127.0.0.3*4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_ttl = 10m
postscreen_greet_action = enforce
postscreen_greet_wait = ${stress?2}${stress:11}s
postscreen_whitelist_interfaces = static:all 64.11.22.0/24
queue_directory = /var/spool/postfix
rbl_reply_maps = ${stress?hash:/etc/postfix/rbl_reply_maps}
readme_directory = /usr/share/doc/postfix/README_FILES
relay_domains = $transport_maps, example.com, cs.example.com, example.com
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_client_restrictions = check_client_access
hash:/etc/postfix/client_checks,
check_reverse_client_hostname_access
pcre:/etc/postfix/fqrdns-042715a.pcre
check_client_access cidr:/etc/postfix/client_access_blocklist
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unlisted_recipient, permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:/etc/postfix/sender_checks,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net,
reject_rhsbl_sender mykey.dbl.dq.spamhaus.net,
reject_rhsbl_helo mykey.dbl.dq.spamhaus.net
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks,
reject_invalid_helo_hostname,
check_policy_service inet:127.0.0.1:2501,
check_recipient_access pcre:/etc/postfix/relay_recips_access,
check_recipient_access pcre:/etc/postfix/recipient_checks, permit
smtpd_sender_restrictions = check_sender_ns_access
hash:/etc/postfix/blacklist_ns.cf
check_sender_access hash:/etc/postfix/sender_checks,
reject_unknown_sender_domain
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = hash:/etc/postfix/virtual
Thanks,
Alex
