Re: How to restrict imposters

Wed, 19 Feb 2020 19:40:42 -0800 

@lbutlr wrote:
> a wrote:
> > However, an outside network can still identify as a local email
> > account to send into my network, making imposters possible.
> 
> Do not allow connections on port 25 that claim to be from your domains.
> 
> (I think this works still):

Yes.  It works.

> smtpd_helo_restrictions = reject_invalid_helo_hostname
>     check_helo_access pcre:/etc/postfix/helo_checks.pcre
>     permit
> 
> helo_checks.pcre:
> /kreme\.com$/ REJECT helo Mail to AND from local domains not allowed from 
> external servers.

I do a slight variation on this that I think is slightly better.
Instead of pcre tables I use hash tables.  Which should be slightly more
efficient.  And won't suffer from common substring matches such as
hitting by accident on goodkreme.com or otherkreme.com or
krispykreme.com and so forth. :-)

My /etc/postfix/helo-access file:
    # Reject anybody that HELO's as being in our own domains.
    # Since this occurs after permit_mynetworks this does not
    # reject local clients.
    proulx.com      REJECT  You are not proulx.com.

    # Somebody HELO'ing as 'localhost'?  Won't hit because localhost is not a 
FQDN.
    # Should not hit here but if that is allowed then it will be rejected here.
    localhost       REJECT  You are not localhost.

    # Somebody HELO'ing as our IP address?  Yes those occur too.
    96.88.95.61   REJECT  You are not 96.88.95.61
    # IPv6 address too.  Although IPv6 is otherwise blocked here.
    2601:1:9c81:cd00:3a60:77ff:fecd:b399   REJECT  You are not 
2601:1:9c81:cd00:3a60:77ff:fecd:b399

Then the usual "postmap helo-access" to create the "helo-access.db" file.

A snippet of my config:
    smtpd_recipient_restrictions =
        ...
        check_helo_access hash:/etc/postfix/helo-access,
        ...

The entire list of smtpd recipient restrictions is all part of a good
anti-spam configuration.  If you are interested in that list ask again
and I am sure there will be many suggestions for a good setup.

> Or setup spf, which is what I’ve done.

Usually SPF protects other people from forgeries of your own network.
But unless you are hard blocking on SPF of your own domain then this
will not block forgery attacks spoofing your own network.  And hard
blocking on SPF is problematic due to the nature of often broken
systems which would cause loss of mail.  Better to use SPF as part of
a scoring system.  Then by itself it is unlikely to be a problem at
the inevitiable cases where things are broken.

HTH!
Bob

Reply via email to