Home / server / Questions / 321109
Accepted
Hongli Lai
Asked: 2011-10-14 03:02:52 +0800 CST

How to prevent remote hosts from delivering mail to Postfix with spoofed From header?

  • 772

I have a host, let's call it foo.com, on which I'm running Postfix on Debian. Postfix is currently configured to do these things:

  1. All mail with @foo.com as recipient is handled by this Postfix server. It forwards all such mail to my Gmail account. The firewall thus allows port 25.
  2. All mail with another domain as recipient is rejected.
  3. SPF records have been set up for the foo.com domain, saying that foo.com is the sole origin of all mail from @foo.com.
  4. Applications running on foo.com can connect to localhost:25 to deliver mail, with [email protected] as sender.

However I recently noticed that some spammers are able to send spam to me while passing the SPF checks. Upon further inspection, it looks like they connect to my Postfix server and then say

HELO bar.com
MAIL FROM:<[email protected]>     <---- this!
RCPT TO:<[email protected]>
DATA
From: "Buy Viagra" <[email protected]>   <--- and this!
...

How do I prevent this? I only want applications running on localhost to be able to say MAIL FROM:<[email protected]>. Here's my current config (main.cf): https://gist.github.com/1283647

smtp postfix

4 Answers

  1. Best Answer

    You need the smtpd_sender_restrictions to be:

    smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/notfromme

    and in /etc/postfix/notfromme you put

    foo.com REJECT

    then postmap /etc/postfix/notfromme and reload postfix.

    Done.

    • 5

  2. Here's my take on it:

    SPFv1 protects the envelope sender address (Return-Path), not the header sender address (From). In most cases (at least that I've seen) the header sender address (From) is spoofed (as foo.com) but that's not what SPFv1 is checking so therefore it passes.

    • 0

  3. if you keep the smtpd_delay_reject parameter set to the default of “yes”, then most of the restrictions can be rolled up into the recipient restrictions.

    smtpd_helo_required = yes 
smtpd_recipient_restrictions = 
                                your_permits (mynetworks, sasl, etc)
                                check_helo_access hash:/etc/postfix/helo_checks

    helo_checks file:

    # HELO'ing as being in our own domain(s)?
grokshop.tv             REJECT You are not in grokshop.tv
brackin.net             REJECT You are not in brackin.net

# HELO'ing with our IP address?
198.58.109.26           REJECT You are not 198.58.109.26

# HELO'ing as "localhost?"
localhost               REJECT You are not me

    Note: On my postfix smtp_delay_reject is set to "no" and it's work for me.

    Reference Link: https://grokshop.tv/stop-spam-with-postfix-email-server/

    • 0

  4. I think if you add:

    smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:/etc/postfix/helo_access,

    to your main.cf, and:

    foo.com REJECT

    to /etc/postfix/helo_access, followed by "postmap helo_access" and restarting postfix, that should mean anyone identifying themselves as "@foo.com" will be rejected straight out, UNLESS the connection is from the localhost in which case it will be permitted (due to permit_mynetworks ranking higher than check_helo_access).

    edit - actually, that probably wouldn't help in the case that someone identifies as "HELO randomhost.net" and then sends mail from @foo.com. What you need to implement is probably header_checks:

    http://www.postfix.org/header_checks.5.html http://www.postfix.org/BUILTIN_FILTER_README.html#remote_only

    Once you have header_checks configured for spotting @foo.com mails, you should be able to configure master.cf so that anything from localhost skips these checks, and only incoming mail from other systems is checked. Then when you receive an email from @foo.com from another Internet system, that should be discarded.

    • -1