Receiving spam from my own email address. postfix
As we can see, this message uses your address as the envelope sender:
postfix/qmgr[19733]: 750991E018: from=<[email protected]>, size=3207, nrcpt=1 (queue active)
This means you have methods for rejecting such messages right after MAIL FROM (or RCPT TO, as I do). Regarding the headers like From: and Date:, they can be spoofed and contain anything. Additional spam filters like Spamassassin can perform tests against these, but that's another story.
Your email client is showing the time and date provided by the Date: header rather than the time the server has actually received the mail. You can look at the Received headers to see the dates added by the servers the message has gone through, but the email client trusts the Date: header.
METHOD 1: Blacklisting the domain from external sources
The methods aren't in order: the first one is easy to add, but the second one is better in every way.
If this server is the only legitimate source for email from your domain example.com, you could simply block all messages using from the domain, unless from own networks or an authenticated user, using check_sender_access. I personally put everything in smtpd_recipient_restrictions to get more details in the logs before rejecting the connection. For main.cf:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
. . .
check_sender_access hash:/etc/postfix/access/sender_access,
. . .
The /etc/postfix/access/sender_access is a lookup table (remember to postmap) of white- and blacklisted MAIL FROM addresses, domains etc. For blacklisting mail from this domain, e.g.
example.com 550 YOU ARE NOT ME.
METHOD 2: Implementing SPF for your domain and testing sender SPF in Postfix
If you have other sources for mail, you can't use the previous method. Also, SPF is something you should really implement to prevent your domain to be used for sending spam. First you add a TXT record for your domain listing all the authorized senders. See SPF Introduction and Record Syntax.
After that, configure your Postfix to check for SPF (see How To Implement SPF In Postfix). E.g.
- Install Perl with
Mail::SPFandNetAddr::IPmodules. Install
postfix-policyd-spf-perl-
main.cf:smtpd_recipient_restrictions = . . . reject_unauth_destination, check_policy_service unix:private/policy-spf, . . . -
master.cf:policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf
My environment already has an outward facing port (25) for incoming mail and an another port (587) for authenticated sending.
In main.cf I have:
smtpd_sender_restrictions = check_sender_access pcre:/etc/postfix/sender-access
(I use pcre so I can use regexes)
Then in my /etc/postfix/sender-access I have:
/@example.com$/ REJECT 554 You may not send as example.com without authenticating.
(Replacing example.com with your own domain.)
But then I needed to override my 587 to not do the filtering -- so I added -o smtpd_sender_restrictions= to clear it:
So, in master.cf I now have:
# Incoming
25 inet n - n - - smtpd
-o mynetworks_style=host
-o mynetworks=10.0.0.0/8
-o milter_macro_daemon_name=ORIGIN_EXTERNAL
# TLS + authenticated submissions
587 inet n - n - - smtpd
-o smtpd_sender_restrictions=
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,defer
-o milter_macro_daemon_name=ORIGIN_AUTH
(I suppose I could have done the reverse and cleared it in main.cf and set it in master.cf.)
To test, use 587 to send email to someone in your domain, then telnet to port 25 and see if you can hand spoof one:
$ telnet smtp.example.com 25
Trying 1.2.3.4...
Connected to smtp.example.com.
Escape character is '^]'.
220 smtp.example.com ESMTP Postfix
helo example.com
250 example.com
mail from: [email protected]
250 2.1.0 Ok
rcpt to: [email protected]
554 5.7.1 <[email protected]>: Sender address rejected: 554 You may not send as example.com without authenticating.