Am 09.12.2015 um 15:44 schrieb Alex:
T_SPF_PERMERROR says pretty clear that you made something wrong why do people not *verify* DNS changes? seen the same from a lot of large companies http://www.kitterman.com/spf/validate.html+1 for the Kitterman checking tool - still my first stop for SPF checking. I recently found out about another: https://dmarcian.com/spf-survey/ which is also worth using.Yes, I'm aware of this site. Perhaps I shouldn't have introduced the T_SPF_PERMERROR issue because it's not really my main problem, and doesn't even occur on my own domain. I wish I could post my domain, but I can't. My main problem is understanding how to build a rule to block spoofing attempts against my own domain? Do I need to build a meta that combines envelope FROM with SPF_FAIL?
first: spoofing protection is *only* about envelope and not about the visible From-header (spoofing protection based on the header kills mailing-lists and even big players like Barracuda networks where dumb enugh because customers complained 'but i still get spoofed mails, look at my client' insteda explain them it's not possible)
second: spoofing protection belongs in the MTA long before spamassassin why? * you have already on the MTA a list of domains for accept mails * spoofing protection has *nothing* to do with SPF smtpd_recipient_restrictions = reject_unlisted_recipient reject_unauth_destination reject_non_fqdn_recipient reject_non_fqdn_sender reject_non_fqdn_helo_hostname reject_invalid_helo_hostname check_sender_access hash:/etc/postfix/spoofing_protection.cf /etc/postfix/spoofing_protection.cf: domain1 REJECT Sender Spoofed domain2 REJECT Sender Spoofed domain3 REJECT Sender Spoofed ___________________________________________________________in short: you take the script which generates "mydestination.cf" and let it spit out the other file while write instead "OK" "REJECT"
mydestination = hash:/etc/postfix/mydestination.cf /etc/postfix/mydestination.cf: domain1 OK domain2 OK domain3 OK ___________________________________________________________before some dumbass now says "the world is not postfix alone": the principle is the same for every MTA and some things belong to the mTA layer and not in the contentfilter
signature.asc
Description: OpenPGP digital signature