On Tue, 19 Feb 2019 at 11:41, Francesc Peñalvez <naz...@almogavers.net> wrote:
>
> Add smtpd_sender_restrictions =
> permit_mynetworks
> check_client_access cidr: /etc/postfix/trusted_ips.cidr
> permit_sasl_authenticated
> check_sender_access inline: {
> {almogavers.net = Local REJECT sender from unauthorized client}
> }
> This seemed to work, but since yesterday they have sent again the mails where
> the from and the for is the local mail itself, without the change-path is
> totally different. Is there any way to solve this?
>
> This is the Headers:
>
> From - Tue Feb 19 12:04:33 2019
> Return-Path: <cont...@producoesstage.com.br>
> X-Original-To: naz...@almogavers.net
> Delivered-To: naz...@almogavers.net
> Received: from localhost (localhost [127.0.0.1])
> by almogavers.net (Postfix) with ESMTP id E49457E0D1B
> for <naz...@almogavers.net>; Tue, 19 Feb 2019 12:03:39 +0100 (CET)
> X-Virus-Scanned: Debian amavisd-new at ns.almogavers.net...
The 'From:' header isn't shown in the extract but I am guessing your
concern is that this 'From:' header is faking your domain (when the
envelope sender is not)? You can cover this with header_checks (but
applied only to unauth emails), something like this:
/etc/postfix/master.cf (extracts, note your chroot setting may be different):
smtp inet n - y - - smtpd
-o cleanup_service_name=cleanup_wild
# use unmodified cleanup for authenticated mails (not via port 25)
cleanup unix n - y - 0 cleanup
# use check_header.pcre for wild incoming mails
cleanup_wild unix n - y - 0 cleanup
-o header_checks=pcre:/etc/postfix/check_header.pcre
/etc/postfix/check_header.pcre:
if /^From:/
/almogavers.net>?\s*$/ REJECT From header impersonation (privileged
domain in address)
endif
