Hi,
"From:" is a value in the header, it is passed during DATA. You need to
build a script (for Postfix) to compare From: against sender=, sasl_sender=
(parameters in Postfix).
Explicit rejections are good for ISPs and legit senders, not for spammers.
If you return a SMTP rejection, the spammer will comply switching from
forged From: to correct one. In this case, is better to catch his email
based on content.
If you run a content filter, such as spamassassin, you can simply create a
(meta) rule comparing From: @your-domain.com against Return-path:
@your-domain.com.
It acts proactively, learning the spam content if the assigned score is =>
12. Assigning an extreme score (1000) helps tracking the accounts in the
logs and cleanup your system from unwanted accounts.
Assuming that the scope is to simply prevent users from sending forged
emails in "mail from:" SMTP command, here is an example:
smtpd_sender_restrictions =
...
reject_authenticated_sender_login_mismatch
smtpd_sender_login_maps = hash:/etc/postfix/login_maps
cat /etc/postfix/login_maps
us...@domain1.com us...@domain1.com user1 admin
us...@domain1.com us...@domain1.com user2 admin
"admin" can send for everyone.
Marius.
-----Original Message-----
From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of Eliezer Croitoru
Sent: Monday, June 16, 2014 12:53 AM
To: postfix-users@postfix.org
Subject: Re: Before rushing into writing my own policy daemon for postfix,
what are the options?
On 06/15/2014 11:11 PM, li...@rhsoft.net wrote:
> what you describe is*the minimum* requirement of a sane MTA you must
> not allow senders you would not accept incoming messages and no -
> there are no exceptions for whatever user
I am not sure you understand it but there is little doubt we are talking
about the same thing or not.
The postix server is allowing for now to relay any email by from any email
if the user is locally authenticated.
Others are just blocked.
A local user can send as itself... and as otherusern...@google.com.
Other servers might not like it and will enforce SPF the same way this
server uses it.
I want to force only on authenticated users (since there are other automated
systems that rely on the service) a rule that will force them to only use
the local domains in the "From:" header of the mail body.
For now I enforce rate limiting and other means of enforcement on the
service usage to prevent and detect abnormal usage and abuse of the local
network SMTP relay service.(which works so good that people who abuse it are
stuck in one sec to more then 24 hours no matter if they scream shout or
anything else...)
For now the users and authenticate and send a mail as "u...@google.com"
or "u...@hotmail.com" since the SPF rules of these providers allow a SOFT
SPF enforcement.
I would like to harden the service one level up and not allow this unless
strictly allowed by the admin of the service not related to SPF.
Thanks,
Eliezer
