Allow only my servers to send mail from my domain

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Allow only my servers to send mail from my domain

decosvaldo

Hi everybody.

I´m receiving some e-mails coming from outside with the FROM pointing to my local domain. This causes confusion on my antispam tools.
Ex: I received an e-mail from the internet with [hidden email] (which is my domain) as FROM. How can I make postfix to accept incoming e-mails from mydomain (iqm.unicamp.br) only if they are sended from my smtp mail servers?

I do not use virtual domains. Single domain only.
CentOS 6.5 with postfix 2.6.6

Thanks

Atenciosamente
 
André Luiz Paiz
Analista de Redes
Instituto de Química – Unicamp
[hidden email]
Telefone: (19)3521-0197
Reply | Threaded
Open this post in threaded view
|

Re: Allow only my servers to send mail from my domain

DTNX Postmaster
On 04 Aug 2014, at 19:25, Andre Luiz Paiz <[hidden email]> wrote:

> I´m receiving some e-mails coming from outside with the FROM pointing to my local domain. This causes confusion on my antispam tools.
> Ex: I received an e-mail from the internet with [hidden email] (which is my domain) as FROM. How can I make postfix to accept incoming e-mails from mydomain (iqm.unicamp.br) only if they are sended from my smtp mail servers?
>
> I do not use virtual domains. Single domain only.
> CentOS 6.5 with postfix 2.6.6

You seem to have a rather extensive SPF record;

==
$ dig +short txt iqm.unicamp.br
"v=spf1 ip4:143.106.51.0/24 ip4:143.106.113.190 ip4:143.106.10.1 ip4:143.106.10.154 ip4:206.112.78.3 ip4:143.106.10.12 ip4:143.106.10.159 ip4:143.106.161.133 ip4:186.202.4.42 a:faunus.unicamp.br a:pq.cnpq.br a:uranus.scholarone.com -all"
==

I'd suggest you use that? You've already declared which servers are allowed to send, so you could use that to weed out any forgeries coming in from the outside.

Remember to do the SPF check after permitting SASL clients, if you have any;

http://www.postfix.org/postconf.5.html#permit_sasl_authenticated

Mvg,
Joni

Reply | Threaded
Open this post in threaded view
|

Re: Allow only my servers to send mail from my domain

decosvaldo

Quoting DTNX Postmaster <[hidden email]>:

On 04 Aug 2014, at 19:25, Andre Luiz Paiz <[hidden email]> wrote:

I´m receiving some e-mails coming from outside with the FROM pointing to my local domain. This causes confusion on my antispam tools.
Ex: I received an e-mail from the internet with [hidden email] (which is my domain) as FROM. How can I make postfix to accept incoming e-mails from mydomain (iqm.unicamp.br) only if they are sended from my smtp mail servers?

I do not use virtual domains. Single domain only.
CentOS 6.5 with postfix 2.6.6

You seem to have a rather extensive SPF record;

==
$ dig +short txt iqm.unicamp.br
"v=spf1 ip4:143.106.51.0/24 ip4:143.106.113.190 ip4:143.106.10.1 ip4:143.106.10.154 ip4:206.112.78.3 ip4:143.106.10.12 ip4:143.106.10.159 ip4:143.106.161.133 ip4:186.202.4.42 a:faunus.unicamp.br a:pq.cnpq.br a:uranus.scholarone.com -all"
==

I'd suggest you use that? You've already declared which servers are allowed to send, so you could use that to weed out any forgeries coming in from the outside.

Remember to do the SPF check after permitting SASL clients, if you have any;

http://www.postfix.org/postconf.5.html#permit_sasl_authenticated

Mvg,
Joni


Scanned and tagged with DSPAM 3.10.2 by Instituto de Quimica - Unicamp
!DSPAM:1118,53dfc4d423587069865541!


Dear Joni,
Thanks for your answer.

I use Spamassassin to check SPF records for all external domains, because it can apply scores to message instead of blocking them. When I was blocking SPF records with errors, I received a lot of complainings about false positives.

I also fixed my SPF records. Thanks for that.

What do you suggest that I should do? I permit SASL authenticated only on the submission port, but some servers in the internal network are allowed to deliver message in the smtp default port (specified in the permit my_networks variable).

Is there an alternative?

My submission restrictions in master.cf:
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$mydomain
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=$policyd,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_authenticated_sender_login_mismatch,permit_sasl_authenticated,reject
  -o smtpd_milters=inet:localhost:8891
  -o non_smtpd_milters=inet:localhost:8891
  -o disable_vrfy_command=no


Default configuration in main.cf
smtpd_recipient_restrictions =
                                check_policy_service inet:127.0.0.1:10031,
                                permit_mynetworks,
                                reject_non_fqdn_recipient,
                                reject_non_fqdn_sender,
                                reject_unknown_sender_domain,
                                reject_unknown_recipient_domain,
                                reject_unauth_destination,
                                reject_non_fqdn_helo_hostname,
                                reject_unknown_client_hostname,
                                reject_rbl_client zen.spamhaus.org,
                                reject_rbl_client b.barracudacentral.org

Atenciosamente
 
André Luiz Paiz
Analista de Redes
Instituto de Química – Unicamp
[hidden email]
Telefone: (19)3521-0197
Reply | Threaded
Open this post in threaded view
|

Re: Allow only my servers to send mail from my domain

DTNX Postmaster
On 04 Aug 2014, at 20:45, Andre Luiz Paiz <[hidden email]> wrote:

> Quoting DTNX Postmaster <[hidden email]>:
>
>> On 04 Aug 2014, at 19:25, Andre Luiz Paiz <[hidden email]> wrote:
>>
>>> I´m receiving some e-mails coming from outside with the FROM pointing to my local domain. This causes confusion on my antispam tools.
>>> Ex: I received an e-mail from the internet with [hidden email] (which is my domain) as FROM. How can I make postfix to accept incoming e-mails from mydomain (iqm.unicamp.br) only if they are sended from my smtp mail servers?
>>>
>>> I do not use virtual domains. Single domain only.
>>> CentOS 6.5 with postfix 2.6.6
>>>
>> You seem to have a rather extensive SPF record;
>>
>> ==
>> $ dig +short txt iqm.unicamp.br
>> "v=spf1 ip4:143.106.51.0/24 ip4:143.106.113.190 ip4:143.106.10.1 ip4:143.106.10.154 ip4:206.112.78.3 ip4:143.106.10.12 ip4:143.106.10.159 ip4:143.106.161.133 ip4:186.202.4.42 a:faunus.unicamp.br a:pq.cnpq.br a:uranus.scholarone.com -all"
>> ==
>>
>> I'd suggest you use that? You've already declared which servers are allowed to send, so you could use that to weed out any forgeries coming in from the outside.
>>
>> Remember to do the SPF check after permitting SASL clients, if you have any;
>>
>> http://www.postfix.org/postconf.5.html#permit_sasl_authenticated
>>
>> Mvg,
>> Joni
>>
>>
>> Scanned and tagged with DSPAM 3.10.2 by Instituto de Quimica - Unicamp
>> !DSPAM:1118,53dfc4d423587069865541!
>
> Dear Joni,
> Thanks for your answer.
>
> I use Spamassassin to check SPF records for all external domains, because it can apply scores to message instead of blocking them. When I was blocking SPF records with errors, I received a lot of complainings about false positives.
>
> I also fixed my SPF records. Thanks for that.

Block only on a 'Fail' result, not on 'Permerror', or 'Softfail'. Score everything else.

If someone gets blocked because their SPF record specifies '-all' and they're sending from outside the permitted set of servers; their problem, not yours.

> What do you suggest that I should do? I permit SASL authenticated only on the submission port, but some servers in the internal network are allowed to deliver message in the smtp default port (specified in the permit my_networks variable).
>
> Is there an alternative?

Yes;

http://www.postfix.org/postconf.5.html#check_sender_access

Create an access table that contains something akin to;

iqm.unicamp.br     REJECT sender address accepted from our own servers only

Put the restriction in 'smtpd_recipient_restrictions', after everything else. To be on the safe side, test it before going live with it, using 'warn_if_reject';

http://www.postfix.org/postconf.5.html#warn_if_reject

And then throw some tests at it from a server that should be rejected, using swaks, or telnet. When you're satisfied that nothing is getting blocked that shouldn't be (check the logs for 'reject_warning'), remove the 'warn_if_reject', and it should start blocking.

Mvg,
Joni

Reply | Threaded
Open this post in threaded view
|

Re: Allow only my servers to send mail from my domain

decosvaldo
In reply to this post by decosvaldo

Quoting Andre Luiz Paiz <[hidden email]>:

Quoting DTNX Postmaster <[hidden email]>:

On 04 Aug 2014, at 19:25, Andre Luiz Paiz <[hidden email]> wrote:

I´m receiving some e-mails coming from outside with the FROM pointing to my local domain. This causes confusion on my antispam tools.
Ex: I received an e-mail from the internet with [hidden email] (which is my domain) as FROM. How can I make postfix to accept incoming e-mails from mydomain (iqm.unicamp.br) only if they are sended from my smtp mail servers?

I do not use virtual domains. Single domain only.
CentOS 6.5 with postfix 2.6.6

You seem to have a rather extensive SPF record;

==
$ dig +short txt iqm.unicamp.br
"v=spf1 ip4:143.106.51.0/24 ip4:143.106.113.190 ip4:143.106.10.1 ip4:143.106.10.154 ip4:206.112.78.3 ip4:143.106.10.12 ip4:143.106.10.159 ip4:143.106.161.133 ip4:186.202.4.42 a:faunus.unicamp.br a:pq.cnpq.br a:uranus.scholarone.com -all"
==

I'd suggest you use that? You've already declared which servers are allowed to send, so you could use that to weed out any forgeries coming in from the outside.

Remember to do the SPF check after permitting SASL clients, if you have any;

http://www.postfix.org/postconf.5.html#permit_sasl_authenticated

Mvg,
Joni


Scanned and tagged with DSPAM 3.10.2 by Instituto de Quimica - Unicamp
!DSPAM:1118,53dfc4d423587069865541!


Dear Joni,
Thanks for your answer.

I use Spamassassin to check SPF records for all external domains, because it can apply scores to message instead of blocking them. When I was blocking SPF records with errors, I received a lot of complainings about false positives.

I also fixed my SPF records. Thanks for that.

What do you suggest that I should do? I permit SASL authenticated only on the submission port, but some servers in the internal network are allowed to deliver message in the smtp default port (specified in the permit my_networks variable).

Is there an alternative?

My submission restrictions in master.cf:
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$mydomain
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=$policyd,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_authenticated_sender_login_mismatch,permit_sasl_authenticated,reject
  -o smtpd_milters=inet:localhost:8891
  -o non_smtpd_milters=inet:localhost:8891
  -o disable_vrfy_command=no


Default configuration in main.cf
smtpd_recipient_restrictions =
                                check_policy_service inet:127.0.0.1:10031,
                                permit_mynetworks,
                                reject_non_fqdn_recipient,
                                reject_non_fqdn_sender,
                                reject_unknown_sender_domain,
                                reject_unknown_recipient_domain,
                                reject_unauth_destination,
                                reject_non_fqdn_helo_hostname,
                                reject_unknown_client_hostname,
                                reject_rbl_client zen.spamhaus.org,
                                reject_rbl_client b.barracudacentral.org

Atenciosamente
 
André Luiz Paiz
Analista de Redes
Instituto de Química – Unicamp
[hidden email]
Telefone: (19)3521-0197



Good morning,
Does anybody have some tips to help me?

Thanks

Atenciosamente
 
André Luiz Paiz
Analista de Redes
Instituto de Química – Unicamp
[hidden email]
Telefone: (19)3521-0197
Reply | Threaded
Open this post in threaded view
|

Re: Allow only my servers to send mail from my domain

Alexandre Ellert

Hello,

You should have a look at DMARC.
If you announce a reject policy in your DNS and configure opendmarc milter on your inbound MX, that will do what you want.

Alexandre

Quoting Andre Luiz Paiz <[hidden email]>:

Quoting DTNX Postmaster <[hidden email]>:

On 04 Aug 2014, at 19:25, Andre Luiz Paiz <[hidden email]> wrote:

I´m receiving some e-mails coming from outside with the FROM pointing to my local domain. This causes confusion on my antispam tools.
Ex: I received an e-mail from the internet with [hidden email] (which is my domain) as FROM. How can I make postfix to accept incoming e-mails from mydomain (iqm.unicamp.br) only if they are sended from my smtp mail servers?

I do not use virtual domains. Single domain only.
CentOS 6.5 with postfix 2.6.6

You seem to have a rather extensive SPF record;

==
$ dig +short txt iqm.unicamp.br
"v=spf1 ip4:143.106.51.0/24 ip4:143.106.113.190 ip4:143.106.10.1 ip4:143.106.10.154 ip4:206.112.78.3 ip4:143.106.10.12 ip4:143.106.10.159 ip4:143.106.161.133 ip4:186.202.4.42 a:faunus.unicamp.br a:pq.cnpq.br a:uranus.scholarone.com -all"
==

I'd suggest you use that? You've already declared which servers are allowed to send, so you could use that to weed out any forgeries coming in from the outside.

Remember to do the SPF check after permitting SASL clients, if you have any;

http://www.postfix.org/postconf.5.html#permit_sasl_authenticated

Mvg,
Joni


Scanned and tagged with DSPAM 3.10.2 by Instituto de Quimica - Unicamp
!DSPAM:1118,53dfc4d423587069865541!


Dear Joni,
Thanks for your answer.

I use Spamassassin to check SPF records for all external domains, because it can apply scores to message instead of blocking them. When I was blocking SPF records with errors, I received a lot of complainings about false positives.

I also fixed my SPF records. Thanks for that.

What do you suggest that I should do? I permit SASL authenticated only on the submission port, but some servers in the internal network are allowed to deliver message in the smtp default port (specified in the permit my_networks variable).

Is there an alternative?

My submission restrictions in master.cf:
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$mydomain
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=$policyd,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_authenticated_sender_login_mismatch,permit_sasl_authenticated,reject
  -o smtpd_milters=inet:localhost:8891
  -o non_smtpd_milters=inet:localhost:8891
  -o disable_vrfy_command=no


Default configuration in main.cf
smtpd_recipient_restrictions =
                                check_policy_service inet:127.0.0.1:10031,
                                permit_mynetworks,
                                reject_non_fqdn_recipient,
                                reject_non_fqdn_sender,
                                reject_unknown_sender_domain,
                                reject_unknown_recipient_domain,
                                reject_unauth_destination,
                                reject_non_fqdn_helo_hostname,
                                reject_unknown_client_hostname,
                                reject_rbl_client zen.spamhaus.org,
                                reject_rbl_client b.barracudacentral.org

Atenciosamente
 
André Luiz Paiz
Analista de Redes
Instituto de Química – Unicamp
[hidden email]
Telefone: (19)3521-0197



Good morning,
Does anybody have some tips to help me?

Thanks

Atenciosamente
 
André Luiz Paiz
Analista de Redes
Instituto de Química – Unicamp
[hidden email]
Telefone: (19)3521-0197
Reply | Threaded
Open this post in threaded view
|

Re: Allow only my servers to send mail from my domain

decosvaldo

Quoting Alexandre Ellert <[hidden email]>:

Hello,

You should have a look at DMARC.
If you announce a reject policy in your DNS and configure opendmarc milter on your inbound MX, that will do what you want.

Alexandre

Quoting Andre Luiz Paiz <[hidden email]>:

Quoting DTNX Postmaster <[hidden email]>:

On 04 Aug 2014, at 19:25, Andre Luiz Paiz <[hidden email]> wrote:

I´m receiving some e-mails coming from outside with the FROM pointing to my local domain. This causes confusion on my antispam tools.
Ex: I received an e-mail from the internet with [hidden email] (which is my domain) as FROM. How can I make postfix to accept incoming e-mails from mydomain (iqm.unicamp.br) only if they are sended from my smtp mail servers?

I do not use virtual domains. Single domain only.
CentOS 6.5 with postfix 2.6.6

You seem to have a rather extensive SPF record;

==
$ dig +short txt iqm.unicamp.br
"v=spf1 ip4:143.106.51.0/24 ip4:143.106.113.190 ip4:143.106.10.1 ip4:143.106.10.154 ip4:206.112.78.3 ip4:143.106.10.12 ip4:143.106.10.159 ip4:143.106.161.133 ip4:186.202.4.42 a:faunus.unicamp.br a:pq.cnpq.br a:uranus.scholarone.com -all"
==

I'd suggest you use that? You've already declared which servers are allowed to send, so you could use that to weed out any forgeries coming in from the outside.

Remember to do the SPF check after permitting SASL clients, if you have any;

http://www.postfix.org/postconf.5.html#permit_sasl_authenticated

Mvg,
Joni


Scanned and tagged with DSPAM 3.10.2 by Instituto de Quimica - Unicamp


Dear Joni,
Thanks for your answer.

I use Spamassassin to check SPF records for all external domains, because it can apply scores to message instead of blocking them. When I was blocking SPF records with errors, I received a lot of complainings about false positives.

I also fixed my SPF records. Thanks for that.

What do you suggest that I should do? I permit SASL authenticated only on the submission port, but some servers in the internal network are allowed to deliver message in the smtp default port (specified in the permit my_networks variable).

Is there an alternative?

My submission restrictions in master.cf:
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$mydomain
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=$policyd,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_authenticated_sender_login_mismatch,permit_sasl_authenticated,reject
  -o smtpd_milters=inet:localhost:8891
  -o non_smtpd_milters=inet:localhost:8891
  -o disable_vrfy_command=no


Default configuration in main.cf
smtpd_recipient_restrictions =
                                check_policy_service inet:127.0.0.1:10031,
                                permit_mynetworks,
                                reject_non_fqdn_recipient,
                                reject_non_fqdn_sender,
                                reject_unknown_sender_domain,
                                reject_unknown_recipient_domain,
                                reject_unauth_destination,
                                reject_non_fqdn_helo_hostname,
                                reject_unknown_client_hostname,
                                reject_rbl_client zen.spamhaus.org,
                                reject_rbl_client b.barracudacentral.org

Atenciosamente
 
André Luiz Paiz
Analista de Redes
Instituto de Química – Unicamp
[hidden email]
Telefone: (19)3521-0197



Good morning,
Does anybody have some tips to help me?

Thanks

Atenciosamente
 
André Luiz Paiz
Analista de Redes
Instituto de Química – Unicamp
[hidden email]
Telefone: (19)3521-0197
Scanned and tagged with DSPAM 3.10.2 by Instituto de Quimica - Unicamp !DSPAM:9303,53e0ee6a23585073716799!



Thanks Alexandre, I will take a look into it.

Atenciosamente
 
André Luiz Paiz
Analista de Redes
Instituto de Química – Unicamp
[hidden email]
Telefone: (19)3521-0197
Reply | Threaded
Open this post in threaded view
|

Re: Allow only my servers to send mail from my domain

DTNX Postmaster
In reply to this post by decosvaldo
On 05 Aug 2014, at 15:53, Andre Luiz Paiz <[hidden email]> wrote:

> Quoting Andre Luiz Paiz <[hidden email]>:
>
>> Is there an alternative?
>
> Good morning,
> Does anybody have some tips to help me?

Yes, I already gave you the 'check_sender_access' option as an
alternative. Also, please do not use HTML to post to lists like these.

Mvg,
Joni