Stopping acceptence from unowned networks address as from my domains

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Stopping acceptence from unowned networks address as from my domains

Ruben Safir Secretary NYLXS
I got this email, which I thought I set up postfix to block

From [hidden email]  Wed Feb  6 06:26:12 2019
Return-Path: <[hidden email]>
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Received: from mail.isentia.asia (mail.mediabanc.ws [203.223.144.88])
        by mrbrklyn.com (Postfix) with ESMTP id BE463161132
        for <[hidden email]>; Wed,  6 Feb 2019 06:25:50 -0500 (EST)
Received: from fixed-187-189-92-126.totalplay.net (187.189.92.126) by
        mail.mediabanc.ws (10.61.3.33) with Microsoft SMTP Server id
        8.1.240.5; Wed,
        6 Feb 2019 15:36:09 +0800
From: BSM <[hidden email]>
To: [hidden email]
Subject: Directorio Empresarial Mexicano 2019
Date: Wed, 6 Feb 2019 01:40:06 -0600
Message-ID: <[hidden email]>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-UID: 55347
Status: RO
Content-Length: 36872
Lines: 561

This is addressed as me in the From line and came from outside my
local network

I want domain being accepted From my domain only is it comes from within
the local network

--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013

Reply | Threaded
Open this post in threaded view
|

Re: Stopping acceptence from unowned networks address as from my domains

lists@lazygranch.com
When spammers do this to me, I get a bounced mail due to SPF issues since it really isn't from my server. So maybe something SPF related can do what you want.


  Original Message  
From: [hidden email]
Sent: February 6, 2019 5:45 PM
To: [hidden email]
Subject: Stopping acceptence from unowned networks address as from my domains

I got this email, which I thought I set up postfix to block

From [hidden email]  Wed Feb  6 06:26:12 2019
Return-Path: <[hidden email]>
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Received: from mail.isentia.asia (mail.mediabanc.ws [203.223.144.88])
        by mrbrklyn.com (Postfix) with ESMTP id BE463161132
        for <[hidden email]>; Wed,  6 Feb 2019 06:25:50 -0500 (EST)
Received: from fixed-187-189-92-126.totalplay.net (187.189.92.126) by
        mail.mediabanc.ws (10.61.3.33) with Microsoft SMTP Server id
        8.1.240.5; Wed,
        6 Feb 2019 15:36:09 +0800
From: BSM <[hidden email]>
To: [hidden email]
Subject: Directorio Empresarial Mexicano 2019
Date: Wed, 6 Feb 2019 01:40:06 -0600
Message-ID: <[hidden email]>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-UID: 55347
Status: RO
Content-Length: 36872
Lines: 561

This is addressed as me in the From line and came from outside my
local network

I want domain being accepted From my domain only is it comes from within
the local network

--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013

Reply | Threaded
Open this post in threaded view
|

Re: Stopping acceptence from unowned networks address as from my domains

Francesc Peñalvez-2
In reply to this post by Ruben Safir Secretary NYLXS
I asked  the same and Vietse Venema answer this:

Postfix 3.0 and later:

/etc/postfix/main.cf:
      smtpd_sender_restrictions =
          permit_mynetworks
          permit_sasl_authenticated
          check_sender_access inline:{
              { example.com = REJECT local sender from unauthorized
client }
              { other.example = REJECT local sender from unauthorized
client }
          }

Instead of example.com and other.example, specify your email domains.

Note: this breaks email from remote mail forwarders or from remote
distribution lists that don't reset the sender address.


this worked perfectly for me

*************************************************************************************************
Este mensaje y todos los archivos adjuntos son confidenciales y de uso exclusivo por parte
de su/sus destinatario/s. Si usted ha recibido este mensaje por error, le agradecemos que
lo notifique inmediatamente al remitente y destruya el mensaje. Queda prohibida cualquier
modificación, edición, uso o divulgación no autorizados. El Emisor no se hace responsable
de este mensaje si ha sido modificado, distorsionado, falsificado, infectado por un virus o
editado o difundido sin autorización.


***********************************************************************************************
This message and any attachments are confidential and intended for the named addressee(s) only.
If you have received this message in error, please notify immediately the sender, then delete
the message. Any unauthorized modification, edition, use or dissemination is prohibited.
The sender shall not be liable for this message if it has been modified, altered, falsified, infected
by a virus or even edited or disseminated without authorization.
***********************************************************************************************

El 07/02/2019 a las 2:44, Ruben Safir escribió:

> I got this email, which I thought I set up postfix to block
>
> >From [hidden email]  Wed Feb  6 06:26:12 2019
> Return-Path: <[hidden email]>
> X-Original-To: [hidden email]
> Delivered-To: [hidden email]
> Received: from mail.isentia.asia (mail.mediabanc.ws [203.223.144.88])
>          by mrbrklyn.com (Postfix) with ESMTP id BE463161132
>          for <[hidden email]>; Wed,  6 Feb 2019 06:25:50 -0500 (EST)
> Received: from fixed-187-189-92-126.totalplay.net (187.189.92.126) by
>          mail.mediabanc.ws (10.61.3.33) with Microsoft SMTP Server id
>          8.1.240.5; Wed,
>          6 Feb 2019 15:36:09 +0800
> From: BSM <[hidden email]>
> To: [hidden email]
> Subject: Directorio Empresarial Mexicano 2019
> Date: Wed, 6 Feb 2019 01:40:06 -0600
> Message-ID: <[hidden email]>
> MIME-Version: 1.0
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> X-UID: 55347
> Status: RO
> Content-Length: 36872
> Lines: 561
>
> This is addressed as me in the From line and came from outside my
> local network
>
> I want domain being accepted From my domain only is it comes from within
> the local network
>


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Stopping acceptence from unowned networks address as from my domains

Andrey Repin-2
In reply to this post by lists@lazygranch.com
Greetings, Gary!

> From: BSM <[hidden email]>
> To: [hidden email]

I'm explicitly rejecting any attempt to push mails with $mydomain in From
through public mail exchanger. If it is internal correspondence from domain
members, they should use submission service, which allows such mails.


--
With best regards,
Andrey Repin
Thursday, February 7, 2019 17:36:01

Sorry for my terrible english...

Reply | Threaded
Open this post in threaded view
|

Re: Stopping acceptence from unowned networks address as from my domains

Lucius Rizzo
In reply to this post by Ruben Safir Secretary NYLXS
On Wed, Feb 06, 2019 at 08:44:40PM -0500, Ruben Safir wrote:
> I got this email, which I thought I set up postfix to block

Setup SPFi (SPF hardfail) , DKIM, DMARC properly

Reply | Threaded
Open this post in threaded view
|

Re: Stopping acceptence from unowned networks address as from my domains

Ruben Safir Secretary NYLXS
postfix can do this without further infrastructure


On Thu, Feb 07, 2019 at 07:53:38AM -0800, Lucius Rizzo wrote:
> On Wed, Feb 06, 2019 at 08:44:40PM -0500, Ruben Safir wrote:
> > I got this email, which I thought I set up postfix to block
>
> Setup SPFi (SPF hardfail) , DKIM, DMARC properly

--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013

Reply | Threaded
Open this post in threaded view
|

Re: Stopping acceptence from unowned networks address as from my domains

lists@lazygranch.com
In reply to this post by Francesc Peñalvez-2
On Thu, 7 Feb 2019 05:24:08 +0100
Francesc Peñalvez <[hidden email]> wrote:

> I asked  the same and Vietse Venema answer this:
>
> Postfix 3.0 and later:
>
> /etc/postfix/main.cf:
>       smtpd_sender_restrictions =
>           permit_mynetworks
>           permit_sasl_authenticated
>           check_sender_access inline:{
>               { example.com = REJECT local sender from unauthorized
> client }
>               { other.example = REJECT local sender from unauthorized
> client }
>           }
>
> Instead of example.com and other.example, specify your email domains.
>
> Note: this breaks email from remote mail forwarders or from remote
> distribution lists that don't reset the sender address.
>
>
> this worked perfectly for me
>
> *************************************************************************************************
> Este mensaje y todos los archivos adjuntos son confidenciales y de
> uso exclusivo por parte de su/sus destinatario/s. Si usted ha
> recibido este mensaje por error, le agradecemos que lo notifique
> inmediatamente al remitente y destruya el mensaje. Queda prohibida
> cualquier modificación, edición, uso o divulgación no autorizados. El
> Emisor no se hace responsable de este mensaje si ha sido modificado,
> distorsionado, falsificado, infectado por un virus o editado o
> difundido sin autorización.
>
>
> ***********************************************************************************************
> This message and any attachments are confidential and intended for
> the named addressee(s) only. If you have received this message in
> error, please notify immediately the sender, then delete the message.
> Any unauthorized modification, edition, use or dissemination is
> prohibited. The sender shall not be liable for this message if it has
> been modified, altered, falsified, infected by a virus or even edited
> or disseminated without authorization.
> ***********************************************************************************************
>
> El 07/02/2019 a las 2:44, Ruben Safir escribió:
> > I got this email, which I thought I set up postfix to block
> >  
> > >From [hidden email]  Wed Feb  6 06:26:12 2019  
> > Return-Path: <[hidden email]>
> > X-Original-To: [hidden email]
> > Delivered-To: [hidden email]
> > Received: from mail.isentia.asia (mail.mediabanc.ws
> > [203.223.144.88]) by mrbrklyn.com (Postfix) with ESMTP id
> > BE463161132 for <[hidden email]>; Wed,  6 Feb 2019 06:25:50
> > -0500 (EST) Received: from fixed-187-189-92-126.totalplay.net
> > (187.189.92.126) by mail.mediabanc.ws (10.61.3.33) with Microsoft
> > SMTP Server id 8.1.240.5; Wed,
> >          6 Feb 2019 15:36:09 +0800
> > From: BSM <[hidden email]>
> > To: [hidden email]
> > Subject: Directorio Empresarial Mexicano 2019
> > Date: Wed, 6 Feb 2019 01:40:06 -0600
> > Message-ID: <[hidden email]>
> > MIME-Version: 1.0
> > Content-Type: text/html; charset="iso-8859-1"
> > Content-Transfer-Encoding: quoted-printable
> > X-UID: 55347
> > Status: RO
> > Content-Length: 36872
> > Lines: 561
> >
> > This is addressed as me in the From line and came from outside my
> > local network
> >
> > I want domain being accepted From my domain only is it comes from
> > within the local network
> >  
>

I'm having trouble finding check_sender_access AND inline. Is inline
some way of not using hash? For example, I have:

  check_sender_access hash:/etc/postfix/sender_checks,

Maybe I'm using this wrong. I have this set up to whitelist addresses.
That is my sender_checks looks like

[hidden email] OK

I'm not using this to reject anything.
Reply | Threaded
Open this post in threaded view
|

Re: Stopping acceptence from unowned networks address as from my domains

Dominic Raferd


On Fri, 8 Feb 2019 at 01:31, [hidden email] <[hidden email]> wrote:
I'm having trouble finding check_sender_access AND inline. Is inline
some way of not using hash? For example, I have:

  check_sender_access hash:/etc/postfix/sender_checks,

Maybe I'm using this wrong. I have this set up to whitelist addresses.
That is my sender_checks looks like

[hidden email] OK

I'm not using this to reject anything.


What you are doing is fine but whitelisting in general carries risk and whitelisting on the envelope sender especially because this parameter is easily faked and it will not usually be seen by the recipient. I use check_sender _access whitelisting only for a few cases where legitimate mails have previously been wrongly blocked by subsequent RBL or reject_unknown_reverse_client_hostname tests. (If your RBL tests are done inside postscreen then local whitelisting by envelope sender is too late I think.) I do however use check_sender_access for blacklisting (REJECT) and for spam scoring.