On 04 Aug 2014, at 20:45, Andre Luiz Paiz <andre.p...@iqm.unicamp.br> wrote:
> Quoting DTNX Postmaster <postmas...@dtnx.net>: > >> On 04 Aug 2014, at 19:25, Andre Luiz Paiz <andre.p...@iqm.unicamp.br> wrote: >> >>> I´m receiving some e-mails coming from outside with the FROM pointing to my >>> local domain. This causes confusion on my antispam tools. >>> Ex: I received an e-mail from the internet with webmas...@iqm.unicamp.br >>> (which is my domain) as FROM. How can I make postfix to accept incoming >>> e-mails from mydomain (iqm.unicamp.br) only if they are sended from my smtp >>> mail servers? >>> >>> I do not use virtual domains. Single domain only. >>> CentOS 6.5 with postfix 2.6.6 >>> >> You seem to have a rather extensive SPF record; >> >> == >> $ dig +short txt iqm.unicamp.br >> "v=spf1 ip4:143.106.51.0/24 ip4:143.106.113.190 ip4:143.106.10.1 >> ip4:143.106.10.154 ip4:206.112.78.3 ip4:143.106.10.12 ip4:143.106.10.159 >> ip4:143.106.161.133 ip4:186.202.4.42 a:faunus.unicamp.br a:pq.cnpq.br >> a:uranus.scholarone.com -all" >> == >> >> I'd suggest you use that? You've already declared which servers are allowed >> to send, so you could use that to weed out any forgeries coming in from the >> outside. >> >> Remember to do the SPF check after permitting SASL clients, if you have any; >> >> http://www.postfix.org/postconf.5.html#permit_sasl_authenticated >> >> Mvg, >> Joni >> >> >> Scanned and tagged with DSPAM 3.10.2 by Instituto de Quimica - Unicamp >> !DSPAM:1118,53dfc4d423587069865541! > > Dear Joni, > Thanks for your answer. > > I use Spamassassin to check SPF records for all external domains, because it > can apply scores to message instead of blocking them. When I was blocking SPF > records with errors, I received a lot of complainings about false positives. > > I also fixed my SPF records. Thanks for that. Block only on a 'Fail' result, not on 'Permerror', or 'Softfail'. Score everything else. If someone gets blocked because their SPF record specifies '-all' and they're sending from outside the permitted set of servers; their problem, not yours. > What do you suggest that I should do? I permit SASL authenticated only on the > submission port, but some servers in the internal network are allowed to > deliver message in the smtp default port (specified in the permit my_networks > variable). > > Is there an alternative? Yes; http://www.postfix.org/postconf.5.html#check_sender_access Create an access table that contains something akin to; iqm.unicamp.br REJECT sender address accepted from our own servers only Put the restriction in 'smtpd_recipient_restrictions', after everything else. To be on the safe side, test it before going live with it, using 'warn_if_reject'; http://www.postfix.org/postconf.5.html#warn_if_reject And then throw some tests at it from a server that should be rejected, using swaks, or telnet. When you're satisfied that nothing is getting blocked that shouldn't be (check the logs for 'reject_warning'), remove the 'warn_if_reject', and it should start blocking. Mvg, Joni
