Forged FROM Adresses deny based on actual user?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Forged FROM Adresses deny based on actual user?

BlackIce_
Lately I have been getting SPAM mails that mimic our typical adress (i.e.
user@domain) Ideally, the postfix server should only accept mail from
ACTUAL users (or aliases to users) on the server.

Is there a config change that can accomplish this easily? Seems like it
should be the default.

If the user does not exist, do not accept mail from them regardless of
domain.

Thanks,

Rick
Reply | Threaded
Open this post in threaded view
|

Re: Forged FROM Adresses deny based on actual user?

allenc
On 07/05/17 17:12, BlackIce_ wrote:

> Lately I have been getting SPAM mails that mimic our typical adress
> (i.e. user@domain) Ideally, the postfix server should only accept mail
> from ACTUAL users (or aliases to users) on the server.
>
> Is there a config change that can accomplish this easily? Seems like
> it should be the default.
>
> If the user does not exist, do not accept mail from them regardless of
> domain.
>
> Thanks,
>
> Rick
>

I am not sure that it would scale very well, but I use a file called
"valid_users":

valid_users:
[hidden email]    DUNNO
... etc
[hidden email]    DUNNO
[hidden email]    DUNNO
... etc
example.com        REJECT Invalid address


and in main.cf:
check_sender_access hash:/etc/postfix/valid_users,
check_recipient_access hash:/etc/postfix/valid_users,


It is VERY effective on my "toy" server;  if you could automate the
creation of the valid_user file, it might just work for you.

Regards

Allen C


Reply | Threaded
Open this post in threaded view
|

Re: Forged FROM Adresses deny based on actual user?

Wietse Venema
Allen Coates:

> I am not sure that it would scale very well, but I use a file called
> "valid_users":
>
> valid_users:
> [hidden email]    DUNNO
> ... etc
> [hidden email]    DUNNO
> [hidden email]    DUNNO
> ... etc
> example.com        REJECT Invalid address
>
>
> and in main.cf:
> check_sender_access hash:/etc/postfix/valid_users,
> check_recipient_access hash:/etc/postfix/valid_users,
>
> It is VERY effective on my "toy" server;  if you could automate the
> creation of the valid_user file, it might just work for you.

I suggest:

/etc/postfix/main.cf:
    smtpd_reject_unlisted_sender = yes

Maybe it's time to make that the default.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Forged FROM Adresses deny based on actual user?

Andreas Schamanek

On Sun, 7 May 2017, at 15:04, Wietse Venema wrote:

> /etc/postfix/main.cf:
>     smtpd_reject_unlisted_sender = yes

Is there a way to test-run this similar to warn_if_reject?

--
-- Andreas


Reply | Threaded
Open this post in threaded view
|

Re: Forged FROM Adresses deny based on actual user?

Viktor Dukhovni

> On May 7, 2017, at 3:42 PM, Andreas Schamanek <[hidden email]> wrote:
>
>> /etc/postfix/main.cf:
>>    smtpd_reject_unlisted_sender = yes
>
> Is there a way to test-run this similar to warn_if_reject?

http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender

leads you to

http://www.postfix.org/postconf.5.html#reject_unlisted_sender

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Forged FROM Adresses deny based on actual user?

Andreas Schamanek

On Sun, 7 May 2017, at 15:49, Viktor Dukhovni wrote:

> >> /etc/postfix/main.cf:
> >>    smtpd_reject_unlisted_sender = yes
> > Is there a way to test-run this similar to warn_if_reject?
>
> http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender 
> leads you to
> http://www.postfix.org/postconf.5.html#reject_unlisted_sender

Thanks, you are right that I was confused about this reference. So,

  smtpd_sender_restrictions = (...)
    warn_if_reject
    reject_unlisted_sender

works as expected but only if smtpd_reject_unlisted_sender = no.

--
-- Andreas

    :-)