Reject incoming emails that use your own domain as sender
It would be nice to reject incoming emails which use one of my virtual domains as sender address while not being a legitimate user of mine.
I know that I can reject incoming emails which use an existing alias/account name using smtpd_sender_restrictions=reject_sender_login_mismatch
, this does however still allow attackers to use a non-existant emailaddress with one of my virtual domains. (Which is favored in regards to spam detection).
What's the best way to reject incoming mails which use one of my virtual domains and aren't authenticated to do so?
SPF as well as DKIM are set up but configured to SoftFail, due to problems with mailinglists and forwards. I am not looking for SPF or DKIM but a solution for the postfix server that is the MX of the aforementioned domains.
I found two possible methods, but maybe there is a better way.
1st method:
smtpd_sender_restrictions =
reject_sender_login_mismatch,
permit_sasl_authenticated,
permit
Now I modified my smtpd_sender_login_maps
to return an entry of admin
if the domain exists in the domains table. This way a record is returned, even when the emailadress doesn't exist as maibox/alias, but not when a foreign domain is the from address.
table = domain
query = SELECT username AS allowedUser FROM mailbox WHERE username="%s" AND deleted_at IS NULL \
UNION SELECT goto FROM alias WHERE address="%s" AND active = 1 \
UNION select 'admin' from domain where domain = '%d'
2nd method:
This approach uses a check_sender_access
lookup which returns a reject action if the domain is a virtual one and the user is not sasl_authenticated
.
smtpd_sender_restrictions =
reject_sender_login_mismatch,
permit_sasl_authenticated,
check_sender_access proxy:mysql:$config_directory/mysql_reject_virtual_domains.cf,
permit
mysql_reject_virtual_domains.cf
:
table = domain
query = select 'Reject 530 SMTP authentication is required' from domain where domain = '%d'
3rd method (thanks to masegaloeh):
smtpd_sender_restrictions =
reject_sender_login_mismatch,
permit_sasl_authenticated
reject_unlisted_sender,
permit
I don't know how many cpu-load/SQL-queries reject_unlisted_sender generates, as it checks quite many things:
Request that the Postfix SMTP server rejects mail from unknown sender addresses, even when no explicit reject_unlisted_sender
access restriction is specified. This can slow down an explosion of forged mail from worms or viruses.
An address is always considered "known" when it matches a virtual(5) alias or a canonical(5) mapping.
- The sender domain matches $mydestination, $inet_interfaces or $proxy_interfaces, but the sender is not listed in $local_recipient_maps, and $local_recipient_maps is not null.
- The sender domain matches $virtual_alias_domains but the sender is not listed in $virtual_alias_maps.
- The sender domain matches $virtual_mailbox_domains but the sender is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps is not null.
- The sender domain matches $relay_domains but the sender is not listed in $relay_recipient_maps, and $relay_recipient_maps is not null.
The righteous way is to setup SPF for your domain and enable SPF in the MTA. Then you'll get protection not only for your own domain forging but also for all other domains having SPF enabled.