> /.*@mydomain.tld/ REJECT
The leading .* is not needed. You should escape the period before tld (\.).
You can
also send a message:
/@.*example\.com$/ REJECT You are not me (40,000).
This works for me. Note: I'm using pcre instead of regexp.
Bill
On 10/15/2017 1:04 PM, Dominic Raferd wrote:
On 15 October 2017 at 17:34, Gerben Wierda <gerben.wie...@rna.nl
<mailto:gerben.wie...@rna.nl>> wrote:
My main restrictions in main.cf <http://main.cf> are (on macOS Server)
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access
regexp:/Library/Server/Mail/Config/postfix/rna_rbl_whitelist_clients,
reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org>,
permit
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
smtpd_recipient_restrictions =
permit_sasl_authenticated reject_unauth_pipelining
reject_non_fqdn_recipient permit_mynetworks reject_unauth_destination
reject_unlisted_recipient check_client_access
regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients
check_sender_access
regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders
check_policy_service
unix:private/policy permit
Rbl and greylisting helps to filter out most spam attempts. I have to turn
of greylisting for a few hours today, and a
message came through that had both From: and To: set to my email address.
This was accepted because I am the delivery
agent for that domain.
But an outside, non SASL-authenticated client that says it wants to deliver
mail From my domain is illegal. Apparently,
that one still gets through (though is generally blocked by greylisting).
Anyway, is there a way to block that without
blocking legitimate mail?
You could add your domain to
/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders as a reject:
/.*@mydomain.tld/ REJECT
Any sender purporting to be from your domain but not authenticated should be blocked by this. Authenticated senders will not
be touched by this because they are already approved by permit_sasl_authenticated.