Re: Block auth senders using other domains
On 2021-05-13 17:52, Dominic Raferd wrote: Understood. Good thinking but yes I cover this in my existing setup. I was thinking there must be a simpler way but no worries... header From: can only be protected with dkim, and not by signing all forged domains that pass mailservr, god example is when mailservers resign mail in transfer, it breaks more then just arc sealing mail in transfer before dkim is breaked postfix maillist have no spf, no dkim breakage, so spf will get spf none, spf helo none, but in dkim signed mail dkim pass, and if dmarc on header from dmarc pass if just other maillist servers did this, it would not be needed with openarc, opendmarc
Re: Block auth senders using other domains
On 2021-05-13 17:12, Matus UHLAR - fantomas wrote: you can use check_sender_access and list wildcards in allowed from domains. its safe to reject localdomains envelope senders in inbound port 25, i do not receive forged mail for my local domains there poor manns spf check without spf
Re: Block auth senders using other domains
On 13/05/2021 16:12, Matus UHLAR - fantomas wrote: On 13.05.21 12:12, Dominic Raferd wrote: But it doesn't stop them sending from a different domain that is not listed in my virtual_alias_domains, such as f...@gmail.com. Currently I stop this with my own check_sender_access file (in an smtpd restriction list applied only to auth emails) that DUNNOs my domains and then REJECTs all others. I feel there is (or ought to be) a way of achieving this that does not require creating a bespoke file/entry. I see 'reject_unknown_sender_domain' but it does not match my use case, and I cannot use 'reject_sender_login_mismatch' because some users need to be able to send from >1 name (all @mydomain) but using 1 login. I think I want 'reject_unlisted_sender_domain' (which does not exist). On 13/05/2021 12:26, Matus UHLAR - fantomas wrote: you can allow logins/senders with smtpd_sender_login_maps and after that disable sender - only what you allow as sender will be accepted. On 13.05.21 13:00, Dominic Raferd wrote: Thanks but won't that have the same problem as 'reject_sender_login_mismatch'? I need to allow them to send from any 'legit' name@mydomain (not just their login name) but not from any name@wilddomain. Oh yes, sorry. you can use check_sender_access and list wildcards in allowed from domains. Note that all of these apply for (envelope) mail from:, not header From: You probably could check headers with header_checks but that one could be cheated e.g. using multiple From: headers or tricking From: to look like having multiple address And, of course, is applicable for all mail received by the same means e.g. on submission/smtps port. Understood. Good thinking but yes I cover this in my existing setup. I was thinking there must be a simpler way but no worries...
Re: Block auth senders using other domains
On 13.05.21 12:12, Dominic Raferd wrote: But it doesn't stop them sending from a different domain that is not listed in my virtual_alias_domains, such as f...@gmail.com. Currently I stop this with my own check_sender_access file (in an smtpd restriction list applied only to auth emails) that DUNNOs my domains and then REJECTs all others. I feel there is (or ought to be) a way of achieving this that does not require creating a bespoke file/entry. I see 'reject_unknown_sender_domain' but it does not match my use case, and I cannot use 'reject_sender_login_mismatch' because some users need to be able to send from >1 name (all @mydomain) but using 1 login. I think I want 'reject_unlisted_sender_domain' (which does not exist). On 13/05/2021 12:26, Matus UHLAR - fantomas wrote: you can allow logins/senders with smtpd_sender_login_maps and after that disable sender - only what you allow as sender will be accepted. On 13.05.21 13:00, Dominic Raferd wrote: Thanks but won't that have the same problem as 'reject_sender_login_mismatch'? I need to allow them to send from any 'legit' name@mydomain (not just their login name) but not from any name@wilddomain. Oh yes, sorry. you can use check_sender_access and list wildcards in allowed from domains. Note that all of these apply for (envelope) mail from:, not header From: You probably could check headers with header_checks but that one could be cheated e.g. using multiple From: headers or tricking From: to look like having multiple address And, of course, is applicable for all mail received by the same means e.g. on submission/smtps port. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org)
Re: Block auth senders using other domains
On 13/05/2021 12:26, Matus UHLAR - fantomas wrote: On 13.05.21 12:12, Dominic Raferd wrote: But it doesn't stop them sending from a different domain that is not listed in my virtual_alias_domains, such as f...@gmail.com. Currently I stop this with my own check_sender_access file (in an smtpd restriction list applied only to auth emails) that DUNNOs my domains and then REJECTs all others. I feel there is (or ought to be) a way of achieving this that does not require creating a bespoke file/entry. I see 'reject_unknown_sender_domain' but it does not match my use case, and I cannot use 'reject_sender_login_mismatch' because some users need to be able to send from >1 name (all @mydomain) but using 1 login. I think I want 'reject_unlisted_sender_domain' (which does not exist). you can allow logins/senders with smtpd_sender_login_maps and after that disable sender - only what you allow as sender will be accepted. Thanks but won't that have the same problem as 'reject_sender_login_mismatch'? I need to allow them to send from any 'legit' name@mydomain (not just their login name) but not from any name@wilddomain.
Re: Block auth senders using other domains
On 13.05.21 12:12, Dominic Raferd wrote: But it doesn't stop them sending from a different domain that is not listed in my virtual_alias_domains, such as f...@gmail.com. Currently I stop this with my own check_sender_access file (in an smtpd restriction list applied only to auth emails) that DUNNOs my domains and then REJECTs all others. I feel there is (or ought to be) a way of achieving this that does not require creating a bespoke file/entry. I see 'reject_unknown_sender_domain' but it does not match my use case, and I cannot use 'reject_sender_login_mismatch' because some users need to be able to send from >1 name (all @mydomain) but using 1 login. I think I want 'reject_unlisted_sender_domain' (which does not exist). you can allow logins/senders with smtpd_sender_login_maps and after that disable sender - only what you allow as sender will be accepted. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org)
Block auth senders using other domains
My domains are listed in virtual_alias_domains and my legit senders/recipients in virtual_alias_maps. I recently discovered the 'reject_unlisted_sender' option which successfully prevents (auth) senders from sending from an unknown name@mydomain. For instance f...@timedicer.co.uk is blocked as a sender. This is much simpler than my previous approach to this problem. But it doesn't stop them sending from a different domain that is not listed in my virtual_alias_domains, such as f...@gmail.com. Currently I stop this with my own check_sender_access file (in an smtpd restriction list applied only to auth emails) that DUNNOs my domains and then REJECTs all others. I feel there is (or ought to be) a way of achieving this that does not require creating a bespoke file/entry. I see 'reject_unknown_sender_domain' but it does not match my use case, and I cannot use 'reject_sender_login_mismatch' because some users need to be able to send from >1 name (all @mydomain) but using 1 login. I think I want 'reject_unlisted_sender_domain' (which does not exist). Am I missing something?