Hi,
I'm trying to configure postfix-3.0.2 to reject mail trying to spoof
my domain in the envelope FROM address without rejecting my own
domain, and I'm doing something wrong.
I've set up check_sender_access to INFO on the entries until I can get
this figured out, but here is an example of it logging an attempt to
otherwise block an email from one of our outbound mail servers:
Dec 9 12:45:10 mail01 postfix/smtpd[21422]: NOQUEUE: info: RCPT from
relay.example.com[206.XXX.YYY.11]: example.com in your envelope sender
not allowed; from=<csd...@example.com> to=<16...@dom1.example.com>
proto=ESMTP helo=<relay.example.com>
In /etc/postfix/sender_checks I have:
example.com INFO example in your envelope sender not allowed
Why does it not know that relay.example.com is within my domain and
should be trusted? I've even tried adding "relay.example.com OK" and
"206.XXX.YYY.11 OK" to my sender_checks. I've also postmapd them and
reloaded postfix after every change.
I have my own domain in mydestination and my own networks in
mynetworks. I've included my postconf below in hopes someone could
help me figure this out.
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_mail_to_files = alias,forward
always_bcc = bcc-user
biff = no
body_checks = regexp:/etc/postfix/body_checks.pcre
bounce_queue_lifetime = 1d
command_directory = /usr/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
default_process_limit = 200
delay_warning_time = 4h
disable_vrfy_command = yes
fallback_relay =
header_checks = pcre:/etc/postfix/header_checks.pcre
pcre:/etc/postfix/header_checks-jimsun.pcre
html_directory = no
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 2d
message_size_limit = 24000000
mime_header_checks = pcre:/etc/postfix/mime_header_checks
mydestination = $myhostname, localhost.$mydomain
mydomain = example.com
myhostname = mail01.example.com
mynetworks = 127.0.0.0/8, 192.168.1.0/24, 68.XXX.YYY.40/29,
64.XXX.YYY.0/27, 208.XXX.YYY.0/24
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr,
cidr:/etc/postfix/gmail_whitelist.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
texthash:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8
dnsbl.sorbs.net=127.0.0.10*8
b.barracudacentral.org*7
dnsbl.sorbs.net=127.0.0.5*6
mykey.zen.dq.spamhaus.net=127.0.0.[4..7]*6
bl.mailspike.net*4
bl.spamcop.net*4
bl.spameatingmonkey.net*4
mykey.zen.dq.spamhaus.net=127.0.0.3*4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_ttl = 10m
postscreen_greet_action = enforce
postscreen_greet_wait = ${stress?2}${stress:11}s
postscreen_whitelist_interfaces = static:all
queue_directory = /var/spool/postfix
rbl_reply_maps = hash:/etc/postfix/rbl_reply_maps
readme_directory = /usr/share/doc/postfix/README_FILES
relay_domains = $transport_maps, example.com, cs.example.com, example.com
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_checks,
check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns-042715a.pcre,
check_reverse_client_hostname_access
pcre:/etc/postfix/reverse_client_hostname_access.pcre,
check_client_access cidr:/etc/postfix/client_access_blocklist
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unlisted_recipient,
permit_mynetworks,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net,
reject_rhsbl_sender mykey.dbl.dq.spamhaus.net,
reject_rhsbl_helo mykey.dbl.dq.spamhaus.net
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
check_policy_service inet:127.0.0.1:2501,
check_recipient_access pcre:/etc/postfix/relay_recips_access,
permit
smtpd_sender_restrictions = check_sender_ns_access
hash:/etc/postfix/blacklist_ns.cf
check_sender_access hash:/etc/postfix/sender_checks,
reject_unknown_sender_domain
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = hash:/etc/postfix/virtual
