Re: email from servers claiming to be ours

Tue, 16 Nov 2021 23:02:34 -0800 

On 16/11/2021 22:55, Ruben Safir wrote:

I got an email from cpa...@mrbrklyn.com which is not from
us, as we are mrbrklyn.com

How do I block email with this on the From line

 From cpa...@mrbrklyn.com  Tue Nov 16 03:59:34 2021
Return-Path: <cpa...@mrbrklyn.com>
X-Original-To: ru...@mrbrklyn.com
Delivered-To: ru...@mrbrklyn.com
Received: from bizcloud-linmaxtone.de (unknown [167.172.106.8])
by mrbrklyn.com (Postfix) with ESMTP id 495F2163FD5
for <ru...@mrbrklyn.com>; Tue, 16 Nov 2021 03:59:34 -0500 (EST)
Received: from cragsmoorfreelibrary.info (bizcloud-linmaxtone.de
[IPv6:::1])
by bizcloud-linmaxtone.de (Postfix) with ESMTP id
8AED332FAE0
for <ru...@mrbrklyn.com>; Tue, 16 Nov 2021
8:29:50 +0000 (UTC)
From: "cPanel on mrbrklyn.com" <cpa...@mrbrklyn.com>


Use
- check_sender_access to block mails that fake your domain in the envelope sender; and 
- header_checks to block mails that fake your domain in the From: header
Both of the above should be applied only to non-authenticated and non-local emails. Something like this (assumes you block authenticated emails on port 25): 

In master.cf:

smtpd     pass  -       -       n       -       -       smtpd
  -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_wild
  -o cleanup_service_name=cleanup_wild
...

cleanup_wild unix  n       -     n       -       0       cleanup
  -o header_checks=pcre:/etc/postfix/check_header_wild.pcre
  -o mime_header_checks=pcre:/etc/postfix/check_header_wild.pcre
  -o nested_header_checks=
...

In main.cf:

smtpd_recipient_restrictions_wild =
  ...
  check_sender_access hash:/etc/postfix/sender_access
  ...

In /etc/postfix/sender_access:

mydomain.tld REJECT privileged domain without authentication

In /etc/postfix/check_header_wild.pcre:

if /^From:/
/mydomain\.tld>?\s*$/ REJECT From header (impersonation domain in address)
fi
For homework, catch attempts to fake your domain in the text part of the From: header: - more sophisticated catches in check_header_wild.pcre (these will require exceptions for 'legitimate' fakes) - because postfix does not translate UTF, add some other filtration/scoring such as bespoke rules in spamassassin

Reply via email to