Make postfix reject incoming email spoofed as from my own domain
If you enable Postfix's message submission service (on port 587), you can separate "message submission from message relay, allowing each service to operate according to its own rules (for security, policy, etc.)" (RFC 4409).
Under this configuration, since legitimate users must authenticate to use port 587 for message submission, you can safely reject spoofed, unauthenticated mail submitted via port 25.
To enable (SASL-authenticated) message submission on port 587, add a section like the following to Postfix's master.cf:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
(Source)
Then, create a Postfix access table (at /etc/postfix/access) specifying how Postfix should respond to certain senders:
[email protected] OK
[email protected] HOLD
mydomain.com REJECT
See the access man page for details.
Run postmap on the access file (to create an indexed lookup table):
postmap /etc/postfix/access
Add appropriate sender restrictions to main.cf:
smtpd_sender_restrictions = permit_sasl_authenticated,
check_sender_access hash:/etc/postfix/access
Finally, reload the new configuration. On Debian-based systems, this is done using:
sudo service postfix reload
Is there a quick postfix configuration item I can add that would reject incoming email which is FROM mydomain and wasn't authenticated?
Not so quick, but you could implement a simple SMTPd Policy and pick the sender and sasl_username and check whether the first one comes from your domain and the second one exists and also comes from your domain, if so, return DUNNO, otherwise, REJECT. This way you ensure that for any incoming mail, if it is from your users, it must be SASL authenticated.
To be very specific, this is my postfix conf:
There are some additional items you can add to your smtpd_recipient_restrictions policy to try to stop the spam and at the same time improve your security:
smtpd_sender_restrictions =
permit_mynetworks
reject_unknown_sender_domain
reject_sender_login_mismatch
reject_unauth_pipelining
reject_non_fqdn_sender
permit
What means each might be found in the Postfix Configuration Parameters page.
There are some additional items you might want to include to stop the spam:
SPFis one of them, but I agree that blocking any non-matching test is quite heavy bearing in mind that some poorly implemented mail lists send e-mails with the original sender address from their servers so they fail.DKIMis very powerful as well (checkOpenDKIM).SpamAssassinmight be very helpful in this case. It won't block mail, but it will be added a Spam header and consequently be classified so.You didn't provide a Postfix message of one of those spoofed attempts, but you could check if they are originated from the same IP address or at least a concrete CIDR address and put them into a blacklist with the
smtpd_client_restrictionsparameter.Same may be applied to the
HELO/EHLOmessage and might be placed intosmtpd_helo_restrictions.
As you can see, there are a lot of ways, maybe you are able to find a combination of them that suits your case and stop all the spoofed attempts.