Does postfix reject spoofed senders?

Solution 1:

Basically email was run over Simple Mail Transfer Protocol. It's very simple so there are no spoofing prevention mechanism in its earlier specs. Take a look on these two excellent answers about email spoofing on security.SE

  • Why is it even possible to forge sender header in e-mail?
  • How can PayPal spoof emails so easily to say it comes from someone else?.

Is there a reliable way to reject incoming mails with a spoofed e-mail address?

Over the years, there are some techniques implemented to identify spoofed email address, for example:

  • SPF: This DNS records detail which servers are allowed to send mail for your domain. See this canonical question for SPF.
  • Sender ID: Fork of SPF
  • DKIM: is a method of embedding digital signatures in mail headers. It can be verified using public keys published in the DNS.
  • DMARC

See also our canonical question about this topic: Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?

What kind of checks does postfix run normally on incoming mails?

To find out what default config shipped with postfix, please run postconf -d. And then take a look on smtpd_*_restriction. As default, postfix just run two checks,

permit_mynetworks, reject_unauth_destination
  • Parameter permit_mynetworks is permit email which originates from your network.
  • Parameter reject_unauth_destination is basic setting to make sure that your server doesn't became open relay, visit this page for brief explanation.

does postfix check the reverse dns by default?

Yes, but postfix only gave warning when reverse dns check fail. Here the sample warning from maillog.

Aug 22 10:37:17 mx postfix/smtpd[54487]: warning: hostname st.example.com does not resolve to address 192.168.231.235

If you consider to reject client based on their rDNS, see the discussion over here: Is it good practice or too draconian to reject mails from mailservers with no RDNS

does postfix have any other checks built-in and activated by default?

Check this page, and look for entry smtpd_*_restriction (e.g smtpd_client_restriction, smtpd_helo_restriction and so on). There are many check on postfix for example but as I said above, by default only two checks enabled.

what kind of filters / milters are useful to prevent accepting spoofed mails?

There are some milter/third apps to provide assists postfix battle spoofed email by applying four techniques I said above. For example tumgreyspf, opendkim, opendmarc and many others.