3

I have a host, let's call it foo.com, on which I'm running Postfix on Debian. Postfix is currently configured to do these things:

  1. All mail with @foo.com as recipient is handled by this Postfix server. It forwards all such mail to my Gmail account. The firewall thus allows port 25.
  2. All mail with another domain as recipient is rejected.
  3. SPF records have been set up for the foo.com domain, saying that foo.com is the sole origin of all mail from @foo.com.
  4. Applications running on foo.com can connect to localhost:25 to deliver mail, with something@foo.com as sender.

However I recently noticed that some spammers are able to send spam to me while passing the SPF checks. Upon further inspection, it looks like they connect to my Postfix server and then say

HELO bar.com
MAIL FROM:<info@foo.com>     <---- this!
RCPT TO:<info@foo.com>
DATA
From: "Buy Viagra" <info@foo.com>   <--- and this!
...

How do I prevent this? I only want applications running on localhost to be able to say MAIL FROM:<something@foo.com>. Here's my current config (main.cf): https://gist.github.com/1283647

Hongli Lai
  • 2,112
  • 4
  • 22
  • 27
  • The "MAIL FROM:" / Envelope sender is not the "header" "From:". The "MAIL FROM:" is easy to fix by only allowing only auth'd users to send from your domain(s), and using SPF. The header "From:" (which is what most spammers spoof these days) would need to be checked with header check later I believe. I am still looking for a good answer to this myself. – B. Shea May 16 '19 at 15:47
  • https://serverfault.com/questions/948161/postfix-blocking-by-from-rather-than-sender – B. Shea May 16 '19 at 16:03

4 Answers4

5

You need the smtpd_sender_restrictions to be:

smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/notfromme

and in /etc/postfix/notfromme you put

foo.com REJECT

then postmap /etc/postfix/notfromme and reload postfix.

Done.

Hongli Lai
  • 2,112
  • 4
  • 22
  • 27
mailq
  • 16,882
  • 2
  • 36
  • 66
0

if you keep the smtpd_delay_reject parameter set to the default of “yes”, then most of the restrictions can be rolled up into the recipient restrictions.

smtpd_helo_required = yes 
smtpd_recipient_restrictions = 
                                your_permits (mynetworks, sasl, etc)
                                check_helo_access hash:/etc/postfix/helo_checks

helo_checks file:

# HELO'ing as being in our own domain(s)?
grokshop.tv             REJECT You are not in grokshop.tv
brackin.net             REJECT You are not in brackin.net

# HELO'ing with our IP address?
198.58.109.26           REJECT You are not 198.58.109.26

# HELO'ing as "localhost?"
localhost               REJECT You are not me

Note: On my postfix smtp_delay_reject is set to "no" and it's work for me.

Reference Link: https://grokshop.tv/stop-spam-with-postfix-email-server/

Digweed
  • 1
  • 2
0

Here's my take on it:

SPFv1 protects the envelope sender address (Return-Path), not the header sender address (From). In most cases (at least that I've seen) the header sender address (From) is spoofed (as foo.com) but that's not what SPFv1 is checking so therefore it passes.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
-1

I think if you add:

smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:/etc/postfix/helo_access,

to your main.cf, and:

foo.com REJECT

to /etc/postfix/helo_access, followed by "postmap helo_access" and restarting postfix, that should mean anyone identifying themselves as "@foo.com" will be rejected straight out, UNLESS the connection is from the localhost in which case it will be permitted (due to permit_mynetworks ranking higher than check_helo_access).

edit - actually, that probably wouldn't help in the case that someone identifies as "HELO randomhost.net" and then sends mail from @foo.com. What you need to implement is probably header_checks:

http://www.postfix.org/header_checks.5.html http://www.postfix.org/BUILTIN_FILTER_README.html#remote_only

Once you have header_checks configured for spotting @foo.com mails, you should be able to configure master.cf so that anything from localhost skips these checks, and only incoming mail from other systems is checked. Then when you receive an email from @foo.com from another Internet system, that should be discarded.

gac
  • 459
  • 2
  • 7
  • Unfortunately, it's quite common for spammers to send a random HELO, even when faking the server. – Tzarium Oct 13 '11 at 11:45