Block email faking to be from our domain but coming from outside?

Remco Barendse mailscanner at barendse.to
Mon Jun 11 09:37:08 UTC 2018 

Thanks for your comments and help :)

Tried the rules below but From:mydomain.com stops all inbound email with a 
relaying denied message even though i have mydomain.com in the 
mailertable.

I tried adding :
To:mydomain.com	RELAY
From:mydomain.com REJECT

But then when i telnet to the mailserver it still says :
MAIL FROM: <support at mydomain.com> 
250 2.1.0 <support at mydomain.com>... Sender ok

Also, now have a simple line with ip of the exchange server and RELAY 
behind it, when i change that Connect:localip 	OK
it doesn't relay mail anymore.

I am missing something very obvious here?



On Fri, 8 Jun 2018, Peter Lemieux wrote:

> I find these problems more easily resolved at the SMTP level.  I use sendmail 
> and its access.db mechanism for this task.  My /etc/mail/access file permits 
> mail from localhost and specific local networks, then has a generic REJECT 
> rule for any other mail with From's spoofing my domain. Something like this:
>
> Connect:127.0.0.1          RELAY
> Connect:10.10.10.          RELAY
>
> From:mydomain.com          REJECT
>
> [etc.]
>
> .                          REJECT
>
> You could replace 10.10.10. with the Exchange server's IP.
>
> I also manage a postfix server where we use a different method.  In main.cf 
> we have
>
> smtpd_sender_restrictions = reject_unknown_sender_domain,
>   check_sender_access pcre:/etc/postfix/sender_access
>
> and the sender_access file contains
>
> # no mail from outsiders claiming to be us
> /\.mydomain\.com$/         REJECT
>
>
> See "man access" and http://www.postfix.org/SMTPD_ACCESS_README.html.
>
> Peter
>
>
> On 06/08/2018 05:35 AM, Remco Barendse wrote:
>> See more and more messages incoming with fraud attempts. The mail is 
>> constructed to look like from someone in our organization sent it and is 
>> addressed to people within the organization.
>> 
>> Is there any way to block email with a sender that pretends to be coming 
>> from @myowndomain.com but coming from outside?
>> 
>> I use Exchange and all real email is coming only from Exchange, never from 
>> outside.
>> 
>> What would be the right way to do it?
>
>
>

More information about the MailScanner mailing list