On 22 Mar 2019, at 19:19, Christian Schmitz wrote:
Hi everyone:
I have a small mail server with fewer emails account, The server is:
Opensuse/Postfix/apache
Today i receive a pishing email Words more or less say that i was
hacked, that
he know my passwords blah blah blah and i must pay on bit_coins. The
email
content is 100% pishing and no real hacking because sevral reasons:
list@XXX was only created for mailing lists and no other usage
I have not webcam
The hacker not used SASL to get real use of my account.
For forums/website registrations i use mailinator.com
The curious is that email seem at first time writed from me to
myself. If my
email is list@xxx the emails say to be list@xxx
So i start a little investigation on LOG file, and all seem that the
"hacker"
do not know the passwords. Because the emailer has no SASL
autenticated, so
the "hacker"simply spoof the FROM field:
1)First question: how i can filter the spoofed emails. In other words,
if the
sender is not authorized to send list@xxx because this emai is managed
by ME
Do not accept mail claiming to be from any address in a local domain on
the port 25 (smtp) smtpd service. Only accept such mail via port 587
(submission) and 465 (smtps) services configured to require
authentication.
2)Seccond question :how i can adjust the sender policy to block soft
fail SPF?
That would be a very dangerous thing to do. SPF 'soft fail' is not
intended to be used that way and it is used instead of 'hard fail'
because the domain owner does NOT want receivers to reject non-passing
messages absolutely.
Postfix itself does not directly support SPF. Whatever you are using for
SPF checking would be an external tool: a policy daemon, smtp proxy
filter, or milter. The log entries you posted are too mangled for me to
recognize what tool you are using to check SPF.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
