On Mon, 8 Apr 2019 at 16:22, Ralph Seichter <ab...@monksofcool.net> wrote:
> * Janis: > > > Should I install amavis? It seems so trivial to block spam which > > pretend to be sent as a spoofed message from oneself but yet I can't > > block it. > > Postfix's check_sender_access suffices to block forged envelope (!) > sender addresses: > > # pcre:/etc/postfix/sender_access > /\bi(yourdomain|yourotherdomain)\.tld$/ REJECT > > That should be combined with only allowing authenticated email via port > 587 (submission). > > While this does not prevent somebody forging the "From" header, an > adversary won't be able to forge a DKIM signature for said header. > Regarding forging of 'From' header: using DKIM with an enforced (p=reject) DMARC policy is a way of tackling this effectively. It has the advantage that it will also stop most third parties from receiving fake emails that purport to be sent from your domain(s). But it is a big hammer. Alternatively block unauthenticated emails that purport to come from your domain by using a header_checks test that runs for unauthenticated emails - by allowing authenticated emails only on different port(s) (587 and/or 465) and having a different cleanup_service_name for unauthenticated emails (i.e. emails sent to port 25). For instance: /etc/postfix/master.cf (extract): smtp inet n - y - - smtpd -o cleanup_service_name=cleanup_wild cleanup_wild unix n - y - 0 cleanup -o header_checks=pcre:/etc/postfix/check_headers_wild.pcre /etc/postfix/check_headers_wild.pcre (extract): if /^From:/ # Fake domain in the actual address e.g. From: Fake Sender <domi...@mydomain1.tld> /(mydomain1\.tld|mydomain2\.tld)>?\s*$/ REJECT From header impersonation (privileged domain in address) # Fake domain in text preceding the address e.g. From: domi...@mydomain1.tld <s...@fakesender.tld> /(mydomain1\.tld|mydomain2\.tld)[>"]*? <.*$/ REJECT From header impersonation (privileged domain in text) endif This will block own mails to mailing lists (such as this when) when they are repeated back to you (or another using your domain), but this is unlikely to cause problems in practice. The second regex blocks a type of fake that you did not mention, but is seen in the wild.
