Email SPoofing Block Help with SPF in Mailscanner

info at schroeffu.ch info at schroeffu.ch
Wed May 8 09:04:27 UTC 2019


Hi Bilal,

ok so the spam you get seems sent directly to your mailserver. Spambot A) is connecting directly to your mail.dom123.com:25 and says "hey, I am bilal at 123.com (mailto:bilal at 123.com) and I have a mail for contact at 123.com (mailto:contact at 123.com)" and your postfix should, before even MailScanner is scanning for spam, reject this sender domain address. Because its not send by your interal IPs.

Make sure you have all the IP-ranges from your internal network in /etc/main.cf in mynetwork = configured, in my case it looks like this:

mynetworks = 172.16.0.0/16, 172.17.0.0/16, 172.18.0.0/16, 192.168.0.0/16, 127.0.0.0/8

Now we will configure postfix to reject all incomming e-mails from domain sender "@123.com" if the sender-ip IS NOT an IP listed in "mynetwork". I guess there are multiple solutions possible in postfix, i got it sucessfully rejected by this way:

1. Create a "do not spoofe this domains file" with your domains here: /etc/postfix/spoofingprotected_domains
2. Fill in this file your domains you want protect from spoofing, for example my file looks like this:

#The following entries are to REJECT sender domain. Be sure, permit_mynetworks rule set before this list in main.cf
123dom.com REJECT
anotherdomainfromme.com REJECT

3. Make the file readable by postfix by running postmap: "postmap /etc/postfix/spoofingprotected_domains"

4. Now you have to put this "spoofing blacklist" on the right place in /etc/main.cf. Again - there are maybe multiple solutions, but here is mine:

Extend the option "smtpd_sender_restrictions =" with this file, but make sure, "permit_mynetworks" is BEFORE the new file spoofingprotected_domains. So postfix will still allow "123dom.com" as sender for your mynetwork= ip adresses, but postfix will reject sender domains in /etc/postfix/spoofingprotected_domains if not your ip. My line looks like this:

smtpd_sender_restrictions = reject_unknown_sender_domain, permit_mynetworks, hash:/etc/postfix/spoofingprotected_domains

5. Restart Postfix. Done.

You should try the new configuration by yourself, login to web-server outside your ip-range and try to send yourself an email from 123dom.com to 123dom.com with telnet. It should deny your mailtest already at step2 like this:

ehlo 123dom.com
MAIL FROM:<bilal at 123dom.com (mailto:bilal at 123dom.com)>
MAIL FROM:<bilal at 123dom.com (mailto:bilal at 123dom.com)>
554 5.7.1 <bilal at 123dom.com (mailto:bilal at 123dom.com)>: Sender address rejected: Access denied

(Hehe, "access denied" is an ugly error message, more pretty would be "this domain cannot be a sender-address without being internal ip", but hey, who cares!)

And also test if all other mails are still working properly, not that you damage your production : o )

Hope this helps
Schroeffu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190508/c25bf0a4/attachment.html>


More information about the MailScanner mailing list