On 12/9/2015 11:54 AM, Alex wrote: > Hi, > > I'm trying to configure postfix-3.0.2 to reject mail trying to spoof > my domain in the envelope FROM address without rejecting my own > domain, and I'm doing something wrong.
Typically this is done something like: smtpd_sender_restrictions = permit_mynetworks check_sender_access hash:/path/to/reject_my_domain > > I've set up check_sender_access to INFO on the entries until I can get > this figured out, but here is an example of it logging an attempt to > otherwise block an email from one of our outbound mail servers: > > Dec 9 12:45:10 mail01 postfix/smtpd[21422]: NOQUEUE: info: RCPT from > relay.example.com[206.XXX.YYY.11]: example.com in your envelope sender > not allowed; from=<csd...@example.com> to=<16...@dom1.example.com> > proto=ESMTP helo=<relay.example.com> > > In /etc/postfix/sender_checks I have: > > example.com INFO example in your envelope sender not allowed > Looks as if you're missing permit_mynetworks. > Why does it not know that relay.example.com is within my domain and > should be trusted? I've even tried adding "relay.example.com OK" and > "206.XXX.YYY.11 OK" to my sender_checks. Those are client names. check_sender_access is for the envelope sender address. > relay_domains = $transport_maps, example.com, cs.example.com, example.com *DANGER* Be aware that adding $transport_maps to relay_domains is unwise. You become an open relay for any destination listed in $transport_maps, which becomes a problem if you add a custom transport for hotmail, gmail, etc. > smtpd_client_restrictions = check_client_access > hash:/etc/postfix/client_checks, > check_reverse_client_hostname_access > pcre:/etc/postfix/fqrdns-042715a.pcre, > check_reverse_client_hostname_access > pcre:/etc/postfix/reverse_client_hostname_access.pcre, > check_client_access cidr:/etc/postfix/client_access_blocklist Probably want to start the above with permit_mynetworks > smtpd_helo_required = yes > smtpd_recipient_restrictions = reject_non_fqdn_recipient, > reject_non_fqdn_sender, > reject_unlisted_recipient, > permit_mynetworks, > reject_unauth_destination, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, reject_unknown_recipient_domain is not effective when used after reject_unauth_destination. Probably just remove it, or move it above permit_mynetworks to enforce this for your own users. > reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net, > reject_rhsbl_sender mykey.dbl.dq.spamhaus.net, > reject_rhsbl_helo mykey.dbl.dq.spamhaus.net > check_helo_access pcre:/etc/postfix/helo_checks.pcre, > check_helo_access hash:/etc/postfix/helo_checks, > reject_non_fqdn_helo_hostname, > reject_invalid_helo_hostname, > check_policy_service inet:127.0.0.1:2501, > check_recipient_access pcre:/etc/postfix/relay_recips_access, > permit > smtpd_sender_restrictions = check_sender_ns_access > hash:/etc/postfix/blacklist_ns.cf > check_sender_access hash:/etc/postfix/sender_checks, > reject_unknown_sender_domain Missing permit_mynetworks. > transport_maps = hash:/etc/postfix/transport > virtual_alias_maps = hash:/etc/postfix/virtual > -- Noel Jones
