Re: How to restrict imposters
On 20/02/2020 03:39, Bob Proulx wrote: > I do a slight variation on this that I think is slightly better. > Instead of pcre tables I use hash tables. Which should be slightly more > efficient. And won't suffer from common substring matches such as > hitting by accident on goodkreme.com or otherkreme.com or > krispykreme.com and so forth. :-) > > My /etc/postfix/helo-access file: > # Reject anybody that HELO's as being in our own domains. > # Since this occurs after permit_mynetworks this does not > # reject local clients. > proulx.com REJECT You are not proulx.com. I receive quite a few messages claiming to be from "accounts", "helpdesk", or "personnel", so I have a very similar clause in my /etc/postfix/sender-access file. Again, it is after permit_mynetworks so it does not reject local clients. Allen C
Re: How to restrict imposters
> @lbutlr wrote: > > a wrote: > > > However, an outside network can still identify as a local email > > > account to send into my network, making imposters possible. > > > > Do not allow connections on port 25 that claim to be from your domains. > > > > (I think this works still): > > Yes. It works. > > > smtpd_helo_restrictions = reject_invalid_helo_hostname > > check_helo_access pcre:/etc/postfix/helo_checks.pcre > > permit > > > > helo_checks.pcre: > > /kreme\.com$/ REJECT helo Mail to AND from local domains not allowed > from external servers. > > I do a slight variation on this that I think is slightly better. > Instead of pcre tables I use hash tables. Which should be slightly more > efficient. And won't suffer from common substring matches such as > hitting by accident on goodkreme.com or otherkreme.com or > krispykreme.com and so forth. :-) > > My /etc/postfix/helo-access file: > # Reject anybody that HELO's as being in our own domains. > # Since this occurs after permit_mynetworks this does not > # reject local clients. > proulx.com REJECT You are not proulx.com. > > # Somebody HELO'ing as 'localhost'? Won't hit because localhost is > not a FQDN. > # Should not hit here but if that is allowed then it will be rejected > here. > localhost REJECT You are not localhost. > > # Somebody HELO'ing as our IP address? Yes those occur too. > 96.88.95.61 REJECT You are not 96.88.95.61 > # IPv6 address too. Although IPv6 is otherwise blocked here. > 2601:1:9c81:cd00:3a60:77ff:fecd:b399 REJECT You are not > 2601:1:9c81:cd00:3a60:77ff:fecd:b399 > > Then the usual "postmap helo-access" to create the "helo-access.db" file. > > A snippet of my config: > smtpd_recipient_restrictions = > ... > check_helo_access hash:/etc/postfix/helo-access, > ... > > The entire list of smtpd recipient restrictions is all part of a good > anti-spam configuration. If you are interested in that list ask again > and I am sure there will be many suggestions for a good setup. > > > Or setup spf, which is what I’ve done. > > Usually SPF protects other people from forgeries of your own network. > But unless you are hard blocking on SPF of your own domain then this > will not block forgery attacks spoofing your own network. And hard > blocking on SPF is problematic due to the nature of often broken > systems which would cause loss of mail. Better to use SPF as part of > a scoring system. Then by itself it is unlikely to be a problem at > the inevitiable cases where things are broken. > > HTH! > Bob > Thank you Bob & @lbutlr, worked perfectly! I did the hash method. This line worked with the hash db populated to suite my domain per what Bob said: smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo-access permit
Re: How to restrict imposters
> @lbutlr wrote: >> > a wrote: >> > > However, an outside network can still identify as a local email >> > > account to send into my network, making imposters possible. >> > >> > Do not allow connections on port 25 that claim to be from your domains. >> > >> > (I think this works still): >> >> Yes. It works. >> >> > smtpd_helo_restrictions = reject_invalid_helo_hostname >> > check_helo_access pcre:/etc/postfix/helo_checks.pcre >> > permit >> > >> > helo_checks.pcre: >> > /kreme\.com$/ REJECT helo Mail to AND from local domains not allowed >> from external servers. >> >> I do a slight variation on this that I think is slightly better. >> Instead of pcre tables I use hash tables. Which should be slightly more >> efficient. And won't suffer from common substring matches such as >> hitting by accident on goodkreme.com or otherkreme.com or >> krispykreme.com and so forth. :-) >> >> My /etc/postfix/helo-access file: >> # Reject anybody that HELO's as being in our own domains. >> # Since this occurs after permit_mynetworks this does not >> # reject local clients. >> proulx.com REJECT You are not proulx.com. >> >> # Somebody HELO'ing as 'localhost'? Won't hit because localhost is >> not a FQDN. >> # Should not hit here but if that is allowed then it will be rejected >> here. >> localhost REJECT You are not localhost. >> >> # Somebody HELO'ing as our IP address? Yes those occur too. >> 96.88.95.61 REJECT You are not 96.88.95.61 >> # IPv6 address too. Although IPv6 is otherwise blocked here. >> 2601:1:9c81:cd00:3a60:77ff:fecd:b399 REJECT You are not >> 2601:1:9c81:cd00:3a60:77ff:fecd:b399 >> >> Then the usual "postmap helo-access" to create the "helo-access.db" file. >> >> A snippet of my config: >> smtpd_recipient_restrictions = >> ... >> check_helo_access hash:/etc/postfix/helo-access, >> ... >> >> The entire list of smtpd recipient restrictions is all part of a good >> anti-spam configuration. If you are interested in that list ask again >> and I am sure there will be many suggestions for a good setup. >> >> > Or setup spf, which is what I’ve done. >> >> Usually SPF protects other people from forgeries of your own network. >> But unless you are hard blocking on SPF of your own domain then this >> will not block forgery attacks spoofing your own network. And hard >> blocking on SPF is problematic due to the nature of often broken >> systems which would cause loss of mail. Better to use SPF as part of >> a scoring system. Then by itself it is unlikely to be a problem at >> the inevitiable cases where things are broken. >> >> HTH! >> Bob >> > > Thank you Bob & @lbutlr, worked perfectly! > > I did the hash method. > > This line worked with the hash db populated to suite my domain per what > Bob said: > > smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo-access > permit > phishing and fraudulent usage of domain - method to prevent some masking Sorry, I forgot to put in here for a search term for others looking for this in the future that it could be a good tool to prevent phishing and other fraudulent usage of domain. I did eventually find something on some forums online, but these user groups are great. Thanks everyone again!
