On 6/18/2015 1:21 PM, Alex Regan wrote: > Hi, > > I'm trying to understand how to reject mail not within my domain > claiming it's from my domain. I understand body_checks can be used > to block mail "From:" my domain, and check_sender_access can be used > to block "MAIL FROM" my domain, but don't understand the > implications of doing that. > > I have postfix set up on a mail relay which accepts mail from the > Internet and forwards to an internal Exchange server. This Exchange > server is the only server responsible for outbound mail. > > There are no mobile users, but on occasion mail is sent from bulk > mailers as being "From:" our domain. I'm concerned that by > implementing body_checks or a sender map could reject these emails. > Do these bulk mailers generally have a common setup where they can > be configured to use smtp-auth for this? > > I'm hoping someone can provide some general guidance on how to > configure my system to permit trusted senders to use our domain > while spammers trying to use "From:" our domain are rejected. > > Is this type of spoofing generally a concern? Is typically SPF the > best approach? > > Thanks, > Alex
Use SPF to limit forgery by outside parties. This restricts use of the envelope sender, not the From: header. Note this may affect your recipients' ability to forward your mail elsewhere. Generally, you should ignore the contents of the From: header as a spam indicator. For example, this email says it's from me, but it's really from the postfix-users list. If you want to be strict about it, you can use a content filter such as SpamAssassin and add a little bit to the score based on the From: header, but it would be unwise to reject mail only because the From: header contains your domain. For example, you would never receive your own posts to this list. Note that sometimes mail arrives with a bare username in the From: header. Some configurations of postfix may add "@$myorigin" to the bare name. To prevent this, on your gateway set main.cf remote_header_rewrite_domain = domain.invalid http://www.postfix.org/ADDRESS_REWRITING_README.html#william -- Noel Jones
