Re: ..::Spoofing Issues::..
On Wed, 2010-10-06 at 12:13 +1100, James Gray wrote: We've used it for years, had very little complaints, maybe half a dozen in all that time. SPF is a must use IMHO, and by use of -all ... providing you configure your DNS correctly. ...and then a user puts in a .forward file (or equivalent) to send mail to another address. Now SPF if broken on the forwarded account as your mail server very likely doesn't have an SPF record for the original sender. Ooops - SPF is broken in these Either its too early in teh day , or, because what you typed, makes no sense, how do you think mailing lists continue to work. Granted, with M$'s spf2 implementation (RFC 4406 IIRC) it does break, but not utilising RFC 4408. As I said, I've i've used it for years and years and I'm happy with its results, YMMV of course which is why you are anti.
Re: ..::Spoofing Issues::..
Le 04/10/2010 23:16, Alfonso Alejandro Reyes Jimenez a écrit : Thanks for your help, right now we use sasl auth and Works very good. If the setup for example a gmail account and the change the gmail address for some user on the postfix domain, postfix delivers that email. I don't want to accept emails from our domain in our server if they don't belong to my networks or they are authenticated. For example if you setup you outlook to send an email from u...@domain.com mailto:u...@domain.com using gmail as smtp relay, I want my postfix to drop that email because it is coming from other smtp server. I hope this example helps. I already answered your question. reread my post and go at the end (bottom) of the message.
Re: ..::Spoofing Issues::..
On 06/10/2010, at 9:37 AM, Noel Butler wrote: On Tue, 2010-10-05 at 23:46 +0200, mouss wrote: Le 04/10/2010 23:03, Terry Gilsenan a écrit : Configure postfix to use SPF, and setup an SPF record in DNS for that domain. then what? you reject mail because of spf fail? that would lead to false positives... We've used it for years, had very little complaints, maybe half a dozen in all that time. SPF is a must use IMHO, and by use of -all ... providing you configure your DNS correctly. ...and then a user puts in a .forward file (or equivalent) to send mail to another address. Now SPF if broken on the forwarded account as your mail server very likely doesn't have an SPF record for the original sender. Ooops - SPF is broken in these situations and therefore can't be used to arbitrarily reject messages on SPF failures. The best it can do is be added as a heuristic to an overall message evaluation (spamassassin et al). Cheers, James smime.p7s Description: S/MIME cryptographic signature
Re: ..::Spoofing Issues::..
On Wed, 6 Oct 2010 12:13:25 +1100 James Gray ja...@gray.net.au wrote: On 06/10/2010, at 9:37 AM, Noel Butler wrote: On Tue, 2010-10-05 at 23:46 +0200, mouss wrote: Le 04/10/2010 23:03, Terry Gilsenan a écrit : Configure postfix to use SPF, and setup an SPF record in DNS for that domain. then what? you reject mail because of spf fail? that would lead to false positives... We've used it for years, had very little complaints, maybe half a dozen in all that time. SPF is a must use IMHO, and by use of -all ... providing you configure your DNS correctly. ...and then a user puts in a .forward file (or equivalent) to send mail to another address. Now SPF if broken on the forwarded account as your mail server very likely doesn't have an SPF record for the original sender. Ooops - SPF is broken in these situations and therefore can't be used to arbitrarily reject messages on SPF failures. The best it can do is be added as a heuristic to an overall message evaluation (spamassassin et al). We neither publish nor use SPF records; broken by design. Cheers, James -- John
Re: ..::Spoofing Issues::..
On 06/10/2010, at 12:17 PM, John Peach wrote: On Wed, 6 Oct 2010 12:13:25 +1100 James Gray ja...@gray.net.au wrote: On 06/10/2010, at 9:37 AM, Noel Butler wrote: On Tue, 2010-10-05 at 23:46 +0200, mouss wrote: Le 04/10/2010 23:03, Terry Gilsenan a écrit : Configure postfix to use SPF, and setup an SPF record in DNS for that domain. then what? you reject mail because of spf fail? that would lead to false positives... We've used it for years, had very little complaints, maybe half a dozen in all that time. SPF is a must use IMHO, and by use of -all ... providing you configure your DNS correctly. ...and then a user puts in a .forward file (or equivalent) to send mail to another address. Now SPF if broken on the forwarded account as your mail server very likely doesn't have an SPF record for the original sender. Ooops - SPF is broken in these situations and therefore can't be used to arbitrarily reject messages on SPF failures. The best it can do is be added as a heuristic to an overall message evaluation (spamassassin et al). We neither publish nor use SPF records; broken by design. Hi John, Agreed - sorry about the wording in my previous. I didn't want it to sound like your mail system specifically. No offence intended. Cheers, James smime.p7s Description: S/MIME cryptographic signature
Re: ..::Spoofing Issues::..
On 10/04/2010 09:37 PM, Alfonso Alejandro Reyes Jimenez wrote: Hi, everyone. I have an issue with some users that are spoofing our mail server, Spoofing what ? how ? Proper configuration and a submission setup can prevent sender domain spoofing. HELO spoofing can be limited or eliminated, if you wish. rightnow we can restrict the spoofing on the same server. But if they use another smtp server pretending that they are on our domain the can send those emails. I use to work with websense which can be configured to get only mails from the users and ip address that belong to the domain, is there some way to tell postfix that he owns the domain mycompany.com and it reject everything that pretend to be the same domain? Certainly, although this is not necessarily a good idea - how will remote users send mail ? Using SASL submission with restricted senders is a common scenario, and anything in $mynetworks should be trusted by you anyway. Or any other idea to prevent the outside spoofing? If you mean sender domain spoofing, yes, quite trivial: set up proper mail submission, and deny anything else. -- J.
Re: ..::Spoofing Issues::..
Le 04/10/2010 21:37, Alfonso Alejandro Reyes Jimenez a écrit : Hi, everyone. I have an issue with some users that are spoofing our mail server, rightnow we can restrict the spoofing on the same server. But if they use another smtp server pretending that they are on our domain the can send those emails. That's a FEATURE in smtp... I use to work with websense which can be configured to get only mails from the users and ip address that belong to the domain, is there some way to tell postfix that he owns the domain mycompany.com and it reject everything that pretend to be the same domain? Or any other idea to prevent the outside spoofing? you can certainly do smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destinaion check_sender_access hash:/etc/postfix/access_sender == access_sender: mydomain.exampleREJECT blah blah .mydomain.exampleREJECT blah blah
RE: ..::Spoofing Issues::..
Thanks for your help, right now we use sasl auth and Works very good. If the setup for example a gmail account and the change the gmail address for some user on the postfix domain, postfix delivers that email. I don't want to accept emails from our domain in our server if they don't belong to my networks or they are authenticated. For example if you setup you outlook to send an email from u...@domain.com using gmail as smtp relay, I want my postfix to drop that email because it is coming from other smtp server. I hope this example helps. Saludos. Ing. Alfonso Alejandro Reyes Jiménez Analista del sector Gobierno E-mail: aare...@scitum.com.mx mailto:aare...@scitum.com.mx Telefono: 91 50 74 00 ext. 7489 Movil: (044) 55 52 98 34 82 La información contenida en el presente correo es confidencial y para uso exclusivo de la persona o institución a que se refiere. Si usted no es el receptor deliberado es ilegal cualquier distribución, divulgación, reproducción, completa o parcial, aprovechamiento, uso o cualquier otra acción relativa a ella. Por favor notifique al emisor e inmediatamente bórrela de forma permanente de cualquier computadora en la que resida y en caso de existir, destruya cualquier copia impresa. De: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] En nombre de mouss Enviado el: lunes, 04 de octubre de 2010 03:48 p.m. Para: postfix-users@postfix.org Asunto: Re: ..::Spoofing Issues::.. Le 04/10/2010 21:37, Alfonso Alejandro Reyes Jimenez a écrit : Hi, everyone. I have an issue with some users that are spoofing our mail server, rightnow we can restrict the spoofing on the same server. But if they use another smtp server pretending that they are on our domain the can send those emails. That's a FEATURE in smtp... I use to work with websense which can be configured to get only mails from the users and ip address that belong to the domain, is there some way to tell postfix that he owns the domain mycompany.com and it reject everything that pretend to be the same domain? Or any other idea to prevent the outside spoofing? you can certainly do smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destinaion check_sender_access hash:/etc/postfix/access_sender == access_sender: mydomain.exampleREJECT blah blah .mydomain.exampleREJECT blah blah image001.jpg
