It can also be done with access lists in smtpd_mumble_restrictions:
a Accept (by remote host IP address) ALL your legitimate servers;
b Reject everything else claiming to be one of your servers
EXAMPLE
main.cf:
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:$config_directory/access/own-server_access,
check_helo_access hash:$config_directory/access/helo_access,
own-server_access:
### List *ALL* your own servers by IP address
1.2.3.4 OK
5.6.7.8 OK
helo_access:
### Your *REAL* hosts have already been accepted...
1.2.3.4 reject
5.6.7.8 reject
example.com reject
It works well enough for me...
Allen C
On 28/07/16 12:18, Benny Pedersen wrote:
> On 2016-07-28 11:07, Roger Goh wrote:
>> If the IP address is spoofed, how does firewall rejects it?
>>
>> In the case of MS Exchange, will implementing something like
>> SPF (Sender Policy Framework) and Sender ID filtering help?
>
> no, if postfix see local sender domains on port 25 it should reject it
>
> all else will fail
>
> ips does not mater
>
> Sender-ID is depricated, dont added it, but if you like spf could help
> if added to each sender domain carefully
>
