On 30 March 2018 at 08:09, Bastian Blank <bastian+postfix-users=postfix....@waldi.eu.org> wrote: > On Fri, Mar 30, 2018 at 12:03:37AM -0700, Sean Greenslade wrote: >> On Fri, Mar 30, 2018 at 08:38:34AM +0200, Lorenzo Petracchi wrote: >> > In the last few weeks our e-mail users are receiving many messages with >> > their own address as From header. >> > >> > I understand that there are many legitimate reasons why the From header is >> > free but I would like to understand if it is possible and if it makes sense >> > to reject incoming mail that contains addresses in the form >> > al...@mydomain.it in the header field when the sender is not an our SASL >> > authenticated SMTP sender or when they do but does not own that address. >> > >> > Lorenzo >> >> This is basically what SPF is good for. > > No, it is not. SPF does not care about the From header, only the > envelope sender. > > DMARC in the other hand works on the From header, with a lot of > collateral damage.
I agree SPF blocks based on the envelope sender not the From: header. So although it might stop problems it is not guaranteed to do so. You can use SPF/DKIM/DMARC for a more comprehensive solution which will also enable others to block fake emails from domains under your control:: 1. ensure that all emails by genuine senders using your domain are passing either SPF or DKIM checks (preferably DKIM, because SPF is broken by relaying) 2. set up DMARC on your domain and implement opendmarc milter, then - after testing with p=none - set p=reject, so that your mailservers and others can block emails that have From: header email address with your domain but do not pass SPF or DKIM with alignment. You should also implement a header check to block From: headers where the text (not the address) is spoofed to look like your domain. (BTW, before I implemented protection against this we had a real case where accounting staff were fooled into setting up a payment by this type of trick): /etc/postfix/main.cf: header_checks = pcre:/etc/postfix/check_header.pcre /etc/postfix/check_header.pcre: if /^From:/ # emails with From: @our_domains are not blocked here # - fake ones should be blocked by opendmarc milter /((mydomain\.it|mydomain2\.tld)>?$/ DUNNO # try to block emails that pretend to be from us by # e.g. From: lore...@mydomain.it <s...@fakesender.tld> /mydomain\.it </ REJECT # e.g. From: Lorenzo Petracchi <s...@fakesender.tld> /Lorenzo Petracchi/i REJECT endif
