> Le 14 mars 2016 à 22:24, Sebastian Nielsen <sebast...@sebbe.eu> a écrit : > > SPF and DKIM is mail tools to prevent spoofing of non-local domains. > OP was out after tools to prevent local spoofing. > > One is for example: > 1: reject_sender_login_mismatch > 2: Other is a check_sender_access table containing "yourdomain.com: > permit_sasl_authenticated, reject". > 3: Another one is reject_unlisted_sender > > Of course, all those tools perform a completely different check and they all > can be used in unison. > 1 would prevent all mismatches between login names and MAIL FROM. However, it > won't prevent a unauthenticated client from sending a spoofed mail from a > local mailbox X to a local mailbox Y (I think the tables can be setup to > enforce this for unauthenticated clients too however). > 2: This prevents authenticated senders from sending outside the domain the > server is authorative for, but also prevents any unauthenticated client from > spoofing the MAIL FROM as a local mailbox when sending mail that is targeted > to a local mailbox. > 3: This is a tool that prevents all unknown local adresses to be used as a > sender. > > > Another good thing with check_sender_access as described in 2 is that this > can be used along with IP-based authentication (permit_mynetworks) to enforce > so only specific domains can be used, and those domains cannot be used as a > sender by unauthorized individuals, so even if you have SASL disabled, you > can still enforce certain domains. >
With 2, how can you deal with machines which are sending mail but can't use the authentication ? If the table contains youdomain.com: permit_mynetworks, permit_sasl_authenticated, reject then anybody connected to the network can send a mail without being authenticated, only members from outside must be authenticated. And if a hacker has the login/password from one of our users, he can use our system to send spam Thanks -- Pascal
