On 24/04/2019 21:51, Bill Cole wrote:
On 24 Apr 2019, at 16:04, Mick wrote:
On 23/04/2019 18:34, Bill Cole wrote:
On 23 Apr 2019, at 11:46, John Peach wrote:
On 4/23/19 11:39 AM, Paul wrote:
Yes I agree with Kevin here, the best solution to this problem is
an spf record set to reject mail from any ip that’s not in your
allowed list of ips for your domain. Forging a from address is
very easy and is one of the main purposes of why spf was created.
There is no need to go to those lengths - assuming that all your
own email is being submitted over port 587, include -o
receive_override_options=no_header_body_checks in the master.cf
entry for submission and use a PCRE header checks file for port 25.
/^From:.*\@example\.com/ REJECT
So you don't want to accept messages you or anyone else in your
domain posts to a mailing list such as this one?
Seems risky...
As per B. Reino's suggestion of header check white list, is there any
reason the following main.cf config should not be used ?
header_checks =
pcre:/etc/postfix/header_checks_pass
pcre:/etc/postfix/header_checks_fail
Yes: it is a generally bad idea to use header_checks to whitelist
anything.
Thanks Bill.
For the details on why, see the documentation in the header_checks man
page and BUILTIN_FILTER_README. If you want *GOOD* filtering, use a
milter or SMTP proxy filter.
I thought header checks were carried out after all the other smtp
restrictions had passed therefore I didn't see the harm in an 'OK' for a
message header at this stage. That's why it's good to ask. I will the
remove the white list and have thorough read to weigh up the cons and
pros before deciding what to do next. The purpose of my white list was
to avoid Postfix-users List-Id: (and other lists) being kicked out due
to the sender using my domain in the from field, but it failed and my
last message was rejected in any case.
If there is a simple pre-queue filter to be had that could block forged
message header From:, but allow when selected list IDs come knocking,
I'd give it a try. I did try Amavis and Spamassassin, but they brought
my limited resource VPS to its knees with 98% memory usage.
Thanks again,
Mick.
