Email SPoofing Block Help with SPF in Mailscanner

info at info at
Wed May 8 09:04:27 UTC 2019

Hi Bilal,

ok so the spam you get seems sent directly to your mailserver. Spambot A) is connecting directly to your and says "hey, I am bilal at (mailto:bilal at and I have a mail for contact at (mailto:contact at" and your postfix should, before even MailScanner is scanning for spam, reject this sender domain address. Because its not send by your interal IPs.

Make sure you have all the IP-ranges from your internal network in /etc/ in mynetwork = configured, in my case it looks like this:

mynetworks =,,,,

Now we will configure postfix to reject all incomming e-mails from domain sender "" if the sender-ip IS NOT an IP listed in "mynetwork". I guess there are multiple solutions possible in postfix, i got it sucessfully rejected by this way:

1. Create a "do not spoofe this domains file" with your domains here: /etc/postfix/spoofingprotected_domains
2. Fill in this file your domains you want protect from spoofing, for example my file looks like this:

#The following entries are to REJECT sender domain. Be sure, permit_mynetworks rule set before this list in REJECT REJECT

3. Make the file readable by postfix by running postmap: "postmap /etc/postfix/spoofingprotected_domains"

4. Now you have to put this "spoofing blacklist" on the right place in /etc/ Again - there are maybe multiple solutions, but here is mine:

Extend the option "smtpd_sender_restrictions =" with this file, but make sure, "permit_mynetworks" is BEFORE the new file spoofingprotected_domains. So postfix will still allow "" as sender for your mynetwork= ip adresses, but postfix will reject sender domains in /etc/postfix/spoofingprotected_domains if not your ip. My line looks like this:

smtpd_sender_restrictions = reject_unknown_sender_domain, permit_mynetworks, hash:/etc/postfix/spoofingprotected_domains

5. Restart Postfix. Done.

You should try the new configuration by yourself, login to web-server outside your ip-range and try to send yourself an email from to with telnet. It should deny your mailtest already at step2 like this:

MAIL FROM:<bilal at (mailto:bilal at>
MAIL FROM:<bilal at (mailto:bilal at>
554 5.7.1 <bilal at (mailto:bilal at>: Sender address rejected: Access denied

(Hehe, "access denied" is an ugly error message, more pretty would be "this domain cannot be a sender-address without being internal ip", but hey, who cares!)

And also test if all other mails are still working properly, not that you damage your production : o )

Hope this helps
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the MailScanner mailing list