[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: Dropping email purporting to be from my domain received from the Internet
From:       Allen Coates <znabble () cidercounty ! org ! uk>
Date:       2020-05-30 12:40:53
Message-ID: e3277353-42ff-1c3b-9896-77ab2ea0f003 () cidercounty ! org ! uk
[Download RAW message or body]



On 30/05/2020 00:58, Scott A. Wozny wrote:
> In my hypothetical environment, I have an external and an internal relay on
> either sides of a firewall. I want to configure the external system to relay
> both 1) email received from the internal relay to the Internet and 2) email
> received from the Internet to the internal relay (as long as the recipient is on
> my domain). This seems fairly straightforward to accomplish with a combination
> of mynetworks, relay_domains and relayhost or transport_maps configurations.
> 
> 
> Something I would like to drop, though, is email received from the Internet that
> has an address in the MAIL FROM on my domain but ONLY if received from the
> Internet (since it’s a core function of this relay to take identical messages
> relayed from the internal relay bound for Internet mail servers).
> 
> 
> I’ve been going through smtpd_sender_restrictions options look for something
> that fits the bill here, but I can’t seem to find anything that allows me to
> distinguish actions based upon whether or not the sender is not in my_networks
> (making them subject to “stranger rules” which include not sending FROM my domain).
> 
> 
> Is this something that’s relatively straightforward to configure in Postfix or
> do I need a more advanced anti-spam tool to get the configuration flexibility I
> need?
> 

From my main.cf:-
smtpd_sender_restrictions =  permit_mynetworks, permit_sasl_authenticated,
     reject_non_fqdn_sender,
     reject_unknown_sender_domain
     check_sender_access hash:/etc/postfix/sender_access,
     etc, etc.....

Explanation:-
Line 1 will accept all my local machines (Servers and clients)
Lines 2 and 3 will reject rubbish senders;
Line 4  The access file rejects all senders CLAIMING to be from my own domain

and

From my sender_access file:-
###   Reject any cidercounty sender not from local network
cidercounty.org.uk                     reject  Sender is not authenticated - s
etc, etc....


It works for me, but I'm only a little guy  :-)

Hope this helps

Allen C
[prev in list] [next in list] [prev in thread] [next in thread]