From: Victor Duchovni (no email)
Date: Tue Apr 15 2008 - 16:33:46 EDT
On Tue, Apr 15, 2008 at 04:26:55PM -0400, Ray Edwards ZREDWARD wrote:
> We are looking into checking incoming mail to our domain against SPF
> records. This is due to forging of the senders address. We are doing valid
> recipient checking. One of our IT security people has recently received
> some SPAM that had the senders address spoofed to an address that had our
> domain name in it , and he is wanting us to investigate SPF record checks
> into Postfix.
You don't need to publish SPF to reject (if that is appropriate)
external email with an envelope sender in your domain. Just use
suitable access(5) rules for your domains.
> Or is there a better way to reject mail with forged sender
> addresses to an address with our domain name in it.
If that's your goal, do just that.
main.cf:
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_sender_access hash:/etc/postfix/sender-access
sender-access:
# See http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains
example.com REJECT external email with an internal sender address
.example.com REJECT external email with an internal sender address
-- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
|
|
|