Block email faking to be from our domain but coming from outside?
djones at ena.com
Mon Jun 11 11:21:53 UTC 2018
On 06/11/2018 04:37 AM, Remco Barendse wrote:
> Thanks for your comments and help :)
> Tried the rules below but From:mydomain.com stops all inbound email with
> a relaying denied message even though i have mydomain.com in the
> I tried adding :
> To:mydomain.com RELAY
> From:mydomain.com REJECT
> But then when i telnet to the mailserver it still says :
> MAIL FROM: <support at mydomain.com> 250 2.1.0 <support at mydomain.com>...
> Sender ok
> Also, now have a simple line with ip of the exchange server and RELAY
> behind it, when i change that Connect:localip OK
> it doesn't relay mail anymore.
> I am missing something very obvious here?
I don't recommend solving this problem this way if your MailScanner
server is handling both inbound and outbound mail filtering for your domain.
Tune your SA a bit to solve this and it will help improve your filtering
accuracy overall. Make sure your SA trusted_networks and
internal_networks are setup correctly for your network and mail flow and
then use the ALL_TRUSTED rule hit in a meta rule to block the fake
inbound emails from the Internet.
shortcircuit ALL_TRUSTED off
score ALL_TRUSTED -0.2
header __FROM_MYDOMAIN_COM From:addr =~ /\@mydomain\.com/i
meta SPOOFED_MYDOMAIN !ALL_TRUSTED && __FROM_MYDOMAIN_COM
score SPOOFED_MYDOMAIN 6.0
The From:addr above will be the visible From: header in the mail client
that is protected by DMARC. If you are getting spoofed envelop-from
domain that is protected by SPF, then you need to handle this a little
I recommend installing python-postfix-policyd-spf, opendkim, and
opendmarc as milters in Postfix. Only run them on the smtpd_milters and
not on the non_smtpd_milters with MailScanner. Then you will have extra
headers to check in SA in local rules to better integrate SPF, DKIM, and
DMARC into SA.
More information about the MailScanner