Block email faking to be from our domain but coming from outside?

[David Jones]

On 06/11/2018 04:37 AM, Remco Barendse wrote:
> Thanks for your comments and help :)
> 
> Tried the rules below but From:mydomain.com stops all inbound email with 
> a relaying denied message even though i have mydomain.com in the 
> mailertable.
> 
> I tried adding :
> To:mydomain.com    RELAY
> From:mydomain.com REJECT
> 
> But then when i telnet to the mailserver it still says :
> MAIL FROM: <support at mydomain.com> 250 2.1.0 <support at mydomain.com>... 
> Sender ok
> 
> Also, now have a simple line with ip of the exchange server and RELAY 
> behind it, when i change that Connect:localip     OK
> it doesn't relay mail anymore.
> 
> I am missing something very obvious here?
> 
> 

I don't recommend solving this problem this way if your MailScanner 
server is handling both inbound and outbound mail filtering for your domain.

Tune your SA a bit to solve this and it will help improve your filtering 
accuracy overall.  Make sure your SA trusted_networks and 
internal_networks are setup correctly for your network and mail flow and 
then use the ALL_TRUSTED rule hit in a meta rule to block the fake 
inbound emails from the Internet.

shortcircuit ALL_TRUSTED off
score ALL_TRUSTED -0.2

header	__FROM_MYDOMAIN_COM	From:addr =~ /\@mydomain\.com/i

meta	SPOOFED_MYDOMAIN	!ALL_TRUSTED && __FROM_MYDOMAIN_COM
score	SPOOFED_MYDOMAIN	6.0

The From:addr above will be the visible From: header in the mail client 
that is protected by DMARC.  If you are getting spoofed envelop-from 
domain that is protected by SPF, then you need to handle this a little 
differently.

I recommend installing python-postfix-policyd-spf, opendkim, and 
opendmarc as milters in Postfix.  Only run them on the smtpd_milters and 
not on the non_smtpd_milters with MailScanner.  Then you will have extra 
headers to check in SA in local rules to better integrate SPF, DKIM, and 
DMARC into SA.

-- 
David Jones