Postfix: blocking people spoofing emails FROM my domain

Hi,

I've configured postfix so that it's not operating as an open relay. It will only accept a RCPT TO: mydomain and it will accept any MAIL FROM: domain - so it can accept emails from external addresses.

However someone is spoofing emails from my domain. So if the email is both to and from my domain it will be accepted.

How can I configure postfix to reject emails from my domain unless the user is SASL authenticated? (or the login comes from 127.0.0.1)

Thanks

6 Replies

If you set up SPF records for your domain(s) and configure your mailserver to check SPF records, then you and everyone else who checks SPF on incoming mail will be able to recognize and reject this spoofed mail.

http://www.openspf.org/

Thanks Stever. I have already setup SPF and in fact these spoofed emails are failing the SPF test and marked as SPAM. But because so many people don't have SPF setup i don't want to completely block SPF failures.

I need a solution that will block this type of spoofed mail but I can't turn on full SPF fail blocks

Hello, Flibble did you find a solution to your problem? I wish I myself made this manipulation and sui already gone through the first stage as you. If you managed to fix this, let me know!

Your logic is somewhat flawed. If a server is not using spf it is going to ignore the directive completely (not reject – even if specified). It is as if spf was never invented on that server. It is in your best interest to reject otherwise do not use it at all or lower the setting for debug/testing.

My DNS record has the following: XXXnetwork.com. IN TXT "v=spf1 a mx a:sv1.XXXnetwork.com ip4:XXX.230.141.86 ip6:2600:3c02::f03c:91ff:fef1:XXX -all"

The XXX's are just redacted pieces probably not even enough redaction for anonymity but that is OK. This works perfect. I lose no email of importance over the course of a year. Servers that don't use SPF ignore it but my spoofing is way down. Granted due to the fact that some servers do not respect SPF there will be some spoofing but minimizing greatly is helpful. Most MTA will track your reputation based on IP but if some see spam coming from a domain over and over they may list you as a poor performer. Advantage is that most of the major providers respect SPF and it's ilk and that is where the spammers target most (largest audience).

IF you are going to go Neutral or Pass all and are not testing. You may as well not bother. It's almost always going to pass.

It's a small challenge to test in a live environment but see my suggestion below. Lower your domains TTL so you can revert back quickly if you are unhappy.

(edit)Alternative(edit) Complimentary methods: DKIM & DNSSEC.

SPF is the easiest remediation technique for what you describe but you may as time permits build up your Infrastructure.

There are many tools to test. I rather like this one: ~~[https://www.port25.com/support/authentication-center/email-verification/" target="_blank">](https://www.port25.com/support/authenti … ification/">https://www.port25.com/support/authentication-center/email-verification/]( You send it an email and it tells you if your records are good or not. Allowing you be relatively sure everything is set correct so that mail from your server is the only mail authorized to be sent on your behalf. Do remember f you use a service like Mail Chimp or some such that you add them to your allowed senders or you end up in a boat but that is about the most complicated a SPF records gets.

I suppose it may be worth asking on second reading. Are these spoofed emails originating from your server or is someone just using your domain name to send spam. My problem was the latter. The spammers tend to just pick up up domain names and send email from relays (pretend your domain is gloomytuesday.com). You start gettting reject notices from sandradee#gloomytuesday.com (she is not one of your users). It is likely the email was relayed outside of your control. That is were spf comes in. IF this was sent from your server as would be noted in the mail log for that time period the issue is something different. Determine if these messages are originating locally or being relayed by someone pretending to be you. If it is a relay spf and it's compliments are what you need and all else being equal your mail server is fine on the flip side of that if your server is the originator there may be some configs to look at. My money is on the spam punks relaying & using your domain. You can't control that only mitigate the damage.

Hi Einsweiler, thank you for your feedback! And indeed, after taking back after what you said above, I already corrected the FPS concern. Next, regarding the use of my domain for spamming, you have made me doubt. At first sight, I do not think the problem comes from there, but as a precaution I will investigate to confirm that.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct