On 2021-07-02 at 10:46:07 UTC-0400 (Fri, 2 Jul 2021 16:46:07 +0200)
Marek Kozlowski <[email protected]>
is rumored to have said:
:-)
I'd like to disable any mail from 'my.domain' from external networks
and non authenticated users. For envelope addresses my solution works
and is as follows:
At first bind valid addresses with their owners:
smtpd_sender_restrictions =
...
reject_sender_login_mismatch,
...
But this setting works for existing addresses only. That means that
mail from:
[email protected] still won't be rejected here.
So the second restriction is:
list1 = check_client_access hash:/etc/postfix/list_of_my_networks,
reject
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_sender_access hash:/etc/postfix/file1
...
/etc/postfix/file1:
my.domain list1
/etc/postfix/list_of_my_networks
1.2 OK
3.4 OK
You've already got 'permit_mynetworks' ahead of this, so why the
complexity?
The best practice in the modern world is to have your legitimate users
connect via port 465 (TLS-wrapped) or port 587 (STARTTLS) and
authenticate. With that in place, you can disable authentication on port
25 and just reject anyone on port 25 claiming to be one of your uses in
the envelope. It is also best to not use 'permit_mynetworks' unless you
have to support senders who cannot do authentication on a submission
port.
I'm not sure if it's the simplest solution but works fine... for the
envelope. I'm wondering if I could apply the same during the DATA
phase for the 'from:' field? Would be nice if you could do that
similarly without involving any other filters / milters. Is it
possible?
You COULD use header_checks IF you are willing to force all submission
to submission ports, but I don't recommend it. Unless you are willing to
forbid your users from submitting mail to mailing lists such as this one
which send messages back with the From header unmodified, you will need
something a before-queue body filter (i.e. a milter) to do more
complicated logic to determine which might be valid uses of your domain
in a From header. This is part of what DMARC was designed to fix but it
really hasn't done so, rather it has broken a lot of mailing lists.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
