Hi, >> My main problem is understanding how to build a rule to block spoofing >> attempts against my own domain? Do I need to build a meta that >> combines envelope FROM with SPF_FAIL? > > first: spoofing protection is *only* about envelope and not about the > visible From-header (spoofing protection based on the header kills
Yes, I understand that as well, and mentioned that earlier. > second: > spoofing protection belongs in the MTA long before spamassassin > > why? Yes, I agree, and also mentioned that, but I wanted to understand the SPF rules from within spamassassin. > * spoofing protection has *nothing* to do with SPF What? That's exactly what SPF was designed to prevent - spoofing of the envelope sender. https://en.wikipedia.org/wiki/Sender_Policy_Framework "SPF is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators." > smtpd_recipient_restrictions = > reject_unlisted_recipient > reject_unauth_destination > reject_non_fqdn_recipient > reject_non_fqdn_sender > reject_non_fqdn_helo_hostname > reject_invalid_helo_hostname > check_sender_access hash:/etc/postfix/spoofing_protection.cf > > /etc/postfix/spoofing_protection.cf: > domain1 REJECT Sender Spoofed > domain2 REJECT Sender Spoofed > domain3 REJECT Sender Spoofed I'm using postfix, as I mentioned, and understand I can do this, and know how. Please help me understand why SPF_FAIL would not be triggered when an incoming email using my domain is received by a server that is not in my SPF record. Thanks, Alex > ___________________________________________________________ > > in short: you take the script which generates "mydestination.cf" and let it > spit out the other file while write instead "OK" "REJECT" > > mydestination = hash:/etc/postfix/mydestination.cf > /etc/postfix/mydestination.cf: > domain1 OK > domain2 OK > domain3 OK > ___________________________________________________________ > > before some dumbass now says "the world is not postfix alone": the principle > is the same for every MTA and some things belong to the mTA layer and not in > the contentfilter >
