Reject incoming emails that use your own domain as sender

email postfix smtp

It would be nice to reject incoming emails which use one of my virtual domains as sender address while not being a legitimate user of mine.

I know that I can reject incoming emails which use an existing alias/account name using smtpd_sender_restrictions=reject_sender_login_mismatch, this does however still allow attackers to use a non-existant emailaddress with one of my virtual domains. (Which is favored in regards to spam detection).

What's the best way to reject incoming mails which use one of my virtual domains and aren't authenticated to do so?

SPF as well as DKIM are set up but configured to SoftFail, due to problems with mailinglists and forwards. I am not looking for SPF or DKIM but a solution for the postfix server that is the MX of the aforementioned domains.


I found two possible methods, but maybe there is a better way.

1st method:

smtpd_sender_restrictions =
    reject_sender_login_mismatch,
    permit_sasl_authenticated,
    permit

Now I modified my smtpd_sender_login_maps to return an entry of admin if the domain exists in the domains table. This way a record is returned, even when the emailadress doesn't exist as maibox/alias, but not when a foreign domain is the from address.

table = domain
query = SELECT username AS allowedUser FROM mailbox WHERE username="%s" AND deleted_at IS NULL \
UNION SELECT goto FROM alias WHERE address="%s" AND active = 1 \
UNION select 'admin' from domain where domain = '%d'

2nd method:

This approach uses a check_sender_access lookup which returns a reject action if the domain is a virtual one and the user is not sasl_authenticated.

smtpd_sender_restrictions =
    reject_sender_login_mismatch,
    permit_sasl_authenticated,
    check_sender_access proxy:mysql:$config_directory/mysql_reject_virtual_domains.cf,
    permit

mysql_reject_virtual_domains.cf:

table = domain
query = select 'Reject 530 SMTP authentication is required' from domain where domain = '%d'

3rd method (thanks to masegaloeh):

smtpd_sender_restrictions =
    reject_sender_login_mismatch,
    permit_sasl_authenticated
    reject_unlisted_sender,
    permit

I don't know how many cpu-load/SQL-queries reject_unlisted_sender generates, as it checks quite many things:

Request that the Postfix SMTP server rejects mail from unknown sender addresses, even when no explicit reject_unlisted_sender access restriction is specified. This can slow down an explosion of forged mail from worms or viruses.

An address is always considered "known" when it matches a virtual(5) alias or a canonical(5) mapping.

  • The sender domain matches $mydestination, $inet_interfaces or $proxy_interfaces, but the sender is not listed in $local_recipient_maps, and $local_recipient_maps is not null.
  • The sender domain matches $virtual_alias_domains but the sender is not listed in $virtual_alias_maps.
  • The sender domain matches $virtual_mailbox_domains but the sender is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps is not null.
  • The sender domain matches $relay_domains but the sender is not listed in $relay_recipient_maps, and $relay_recipient_maps is not null.

The righteous way is to setup SPF for your domain and enable SPF in the MTA. Then you'll get protection not only for your own domain forging but also for all other domains having SPF enabled.

Related

How to exit Assembler back to Applesoft Basic on Apple II GS
How to selectively enable autocorrect based on language?
Download Xcode from developer site vs install from app store
Can I remove or hide the VIP Folder in Mail on iOS 6?
Utility to warn when process takes 100% CPU for x minutes?
Mac OS X Mountain Lion cannot share internet connection because of 802.1X protection
Books not purchased in iBooks Store are not syncing between Mavericks and iPhone
Transferring purchases from iPhone to iTunes - Why is it necessary?
"Directory not empty" sudo rm -r -i "file name" not working
Is it possible to replace a whole keyboard on a MacBook?
Switch between instances of apps in full screen?
Why do I need to "bypass" 169.254/16?