On 12/9/2015 4:17 PM, Alex wrote: > Hi, > >>> I'm trying to configure postfix-3.0.2 to reject mail trying to spoof >>> my domain in the envelope FROM address without rejecting my own >>> domain, and I'm doing something wrong. >> >> Typically this is done something like: >> smtpd_sender_restrictions = >> permit_mynetworks >> check_sender_access hash:/path/to/reject_my_domain > > The combination of your suggestions, and probably most specifically > the permit_mynetworks, is what appears to have fixed it. > > This originated with me trying to have a better understanding of SPF. > check_sender_access consults $mynetworks to determine which servers > can send mail as my domain.
Eh? check_sender_access can only check the envelope sender address, not a network or hostname. > > How does this relate to entries in my SPF record for servers that may > be sending mail to users in my domain? I would think it would be > necessary to list them in $mynetworks, however, I don't want to > inherit whatever other problems come with other things happening on > those IPs. This is independent of SPF. The rules discussed blocks your domain as envelope sender except for a whitelist you have specified (permit_mynetworks). As an _alternative_, you could publish SPF records and run all your mail through a SPF policy, and reject (or tag) those that fail. > > I was in the process of setting up SPF, but ran into some stability > problems with the pyspf application. I use SpamAssassin for SPF and DKIM verification, integrated into postfix via amavisd-new as a pre-queue smtpd_proxy_filter, which works well for my purpose. > >>> relay_domains = $transport_maps, example.com, cs.example.com, example.com >> >> *DANGER* >> Be aware that adding $transport_maps to relay_domains is unwise. >> You become an open relay for any destination listed in >> $transport_maps, which becomes a problem if you add a custom >> transport for hotmail, gmail, etc. > > I currently only have a few transports to route mail from certain > sub-domains to other systems: > > mail01.example.com local: > site1.example.com smtp:[66.XXX.YYY.100] > > Is it necessary in this case to have $transport_maps as part of relay_domains? I'm going to assume these are domains you own/control, otherwise they should never be in relay_domains. While there is nothing technically wrong with using $transport_maps here, it's kind of like playing with fire... you're one mistake away from disaster. Anyway, the default value of parent_domain_matches_subdomains includes relay_domains, so "X.example.com" is already included by way of "example.com". If they aren't really related subdomains, just include them in relay_domains explicitly. -- Noel Jones
