Re: Ok. I'm finding a small issue on my server.

Sun, 08 Jan 2012 06:16:53 -0800 

On 01/08/2012 08:19 AM, Peter wrote:

On 08/01/12 20:00, Bjørn Ruberg wrote:

On 01/08/2012 03:26 AM, Benny Pedersen wrote:

On Tue, 27 Dec 2011 08:22:47 +0100, Bjørn Ruberg wrote:

Be advised that if you plan to reject
*sender addresses* claiming to originate from your own domain, you
might break legitimate mails.

how ?

Mailing lists like this one, for instance. When you post to the
postfix-users list, your message is redistributed from the list's
servers having your address as the originating address. The message will
originate from outside of your systems but will have your From: address.
If you block this, you won't see your own postings to the list.

This is an excerpt from the headers in your e-mail:

  From: Benny Pedersen<m...@junc.org>
  To:<postfix-users@postfix.org>
  Subject: Re: Ok. I'm finding a small issue on my server.

This is a common misconception.  The envelope sender is not the same as
the From: header.  This is the envelope sender for your message (and
indeed for every message from this mailing list):

Return-Path:<owner-postfix-us...@postfix.org>
While your point is valid for envelope sender and this mailing list in particular, I can't seem to recollect that I specified the envelope sender vs header from, nor claimed they are the same. Nor did the OP say anything about which of those the OP wanted to check. When/if rejecting e-mails based on header from (e.g. using header_checks), I think my argument is valid.
When it comes to envelope sender, perhaps you can shed some light on whether this quote from http://linxnet.com/misc/postfix-anti-UCE.txt is also a "common misconception"? 

    Q5. Couldn't one do the same thing with check_sender_access
        (envelope-sender) as with the check_helo_access with regards to
        checking for somebody spoofing ones own domain?

    A5. Dangerous.  There are a number of scenarios where a sender from
        outside mynetworks might legitimately have an envelope-sender
        address in (one of) your domain(s).  E.g.:

        f...@yourdom.ain sends mail to j...@example.com

        But j...@example.com has, unknown to fred, a .forward pointing
        to j...@yourdom.ain

        That results in example.com's mailserver legitimately sending
        that email with yourdom.ain in the envelope-sender

        (Thanks a tip o' the hat to Andrew of SuperNews for pointing
         this gotcha out.)

--
Bjørn

Reply via email to