On 27 Sep 2019, at 7:06, Hugo Florentino wrote:
Hi,
I am using postfix 3.1.12 in a network which does not currently accept
sending mail from outside.
However some spammers change the From header in the data section and
use an internal address.
The problem is that if I use header_checks to reject my domain, it's
applied globally so mail from within the local network is rejected as
well.
The most important element in doing this is to separate mail submission
from inbound SMTP mail. In 2019 there is no reasonable excuse for
supporting submission via a port 25 SMTP server that also accepts mail
from the Internet in general for local delivery. If you require your
users to use a port 587 or 465 submission service instead, you don't
need to make allowances for local submission on the main port 25
service.
Since there is no check_data_access method, I tried to do something
this:
[...]
However, forged addresses still pass, and I am getting this message in
the logs:
Sep 27 06:07:52 server postfix/cleanup[5578]: warning: unknown command
in header_checks map: anti_spoofing
Why isn't this working?
Because, as documented, header_checks (and the other built-in content
filtering in Postfix) does not support restrictions or restriction
classes as results of a pattern match.
Could you please provide ideas on how to achieve what I want without
using external tools or costly sender verification?
As I said above, you can do this by segregating inbound mail on port 25
from mail submission on port 465 and/or 587. Note that "sender
verification" as implemented in Postfix ONLY operates on the envelope
sender address, NOT on the address in the From header and is not
*authentication* so it would not do what you're trying to do.
If you want to allow exceptions to this policy (which some systems learn
that they need after deploying an absolute block) you will need to use a
more sophisticated external content filtering tool.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
