Is there a reliable way to reject incoming mails with a spoofed e-mail address?
What kind of checks does postfix run normally on incoming mails?
Thank you for your help.
Basically email was run over Simple Mail Transfer Protocol. It's very simple so there are no spoofing prevention mechanism in its earlier specs. Take a look on these two excellent answers about email spoofing on security.SE
Is there a reliable way to reject incoming mails with a spoofed e-mail address?
Over the years, there are some techniques implemented to identify spoofed email address, for example:
See also our canonical question about this topic: Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?
What kind of checks does postfix run normally on incoming mails?
To find out what default config shipped with postfix, please run postconf -d. And then take a look on smtpd_*_restriction. As default, postfix just run two checks,
permit_mynetworks, reject_unauth_destination
does postfix check the reverse dns by default?
Yes, but postfix only gave warning when reverse dns check fail. Here the sample warning from maillog.
Aug 22 10:37:17 mx postfix/smtpd[54487]: warning: hostname st.example.com does not resolve to address 192.168.231.235
If you consider to reject client based on their rDNS, see the discussion over here: Is it good practice or too draconian to reject mails from mailservers with no RDNS
does postfix have any other checks built-in and activated by default?
Check this page, and look for entry smtpd_*_restriction (e.g smtpd_client_restriction, smtpd_helo_restriction and so on). There are many check on postfix for example but as I said above, by default only two checks enabled.
what kind of filters / milters are useful to prevent accepting spoofed mails?
There are some milter/third apps to provide assists postfix battle spoofed email by applying four techniques I said above. For example tumgreyspf, opendkim, opendmarc and many others.
