On Wed, 30 Jul 2025, Matteo Bini wrote:
I really love your smtpd. I would like to find a way to avoid MAIL-FROM
and From header forgery.
First things first, MAIL-FROM forgery: these are my match directives.
How can I avoid people sending messages not from local, not
authenticated, to my domain?
General MAIL FROM authentication is provided by SPF - an add-on protocol
to SMTP. While your ideas can block simple things (spam from youself),
in general you need a plugin to verify any provided SPF.
Another simple filter is to block connections with invalid HELO.
That is part of SMTP - and opensmtpd SHOULD provide an option.
Invalid HELO is not dropped by default because there are far too
many clueless email admins at otherwise legit companies.
Examples of invalid HELO that trigger banning the IP on my server:
HELO 1.2.3.4 # NOTE: correct syntax would be [1.2.3.4]
HELO localhost # NOTE: HELO MUST be FQDN or raw ip
(Help me out - how do you enable rejecting connections with invalid
HELO?)
In addition, a valid HELO name MUST be the hostname of the MTA
(i.e. resolve to the connect ip). Again, a preponderance of clueless
make enforement problematic. The SPF protocol lets a sending domain
optionally declare strict MAIL FROM and HELO authentication in DNS.
You also mentioned validating From header. This is done by DKIM,
another add-on protocol to SMTP that again requires a plugin to validate.
I use opensmtpd only for p2p email, so someone else will have to
chime in for plugin recommendations. Also, I *would* like to get
familiar with the filter API and see if I can port my sendmail milter
stuff over.
