Reject incoming emails that use your own domain as sender
I found two possible methods, but maybe there is a better way.
1st method:
smtpd_sender_restrictions =
reject_sender_login_mismatch,
permit_sasl_authenticated,
permit
Now I modified my smtpd_sender_login_maps
to return an entry of admin
if the domain exists in the domains table. This way a record is returned, even when the emailadress doesn't exist as maibox/alias, but not when a foreign domain is the from address.
table = domain
query = SELECT username AS allowedUser FROM mailbox WHERE username="%s" AND deleted_at IS NULL \
UNION SELECT goto FROM alias WHERE address="%s" AND active = 1 \
UNION select 'admin' from domain where domain = '%d'
2nd method:
This approach uses a check_sender_access
lookup which returns a reject action if the domain is a virtual one and the user is not sasl_authenticated
.
smtpd_sender_restrictions =
reject_sender_login_mismatch,
permit_sasl_authenticated,
check_sender_access proxy:mysql:$config_directory/mysql_reject_virtual_domains.cf,
permit
mysql_reject_virtual_domains.cf
:
table = domain
query = select 'Reject 530 SMTP authentication is required' from domain where domain = '%d'
3rd method (thanks to masegaloeh):
smtpd_sender_restrictions =
reject_sender_login_mismatch,
permit_sasl_authenticated
reject_unlisted_sender,
permit
I don't know how many cpu-load/SQL-queries reject_unlisted_sender generates, as it checks quite many things:
Request that the Postfix SMTP server rejects mail from unknown sender addresses, even when no explicit reject_unlisted_sender
access restriction is specified. This can slow down an explosion of forged mail from worms or viruses.
An address is always considered "known" when it matches a virtual(5) alias or a canonical(5) mapping.
- The sender domain matches $mydestination, $inet_interfaces or $proxy_interfaces, but the sender is not listed in $local_recipient_maps, and $local_recipient_maps is not null.
- The sender domain matches $virtual_alias_domains but the sender is not listed in $virtual_alias_maps.
- The sender domain matches $virtual_mailbox_domains but the sender is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps is not null.
- The sender domain matches $relay_domains but the sender is not listed in $relay_recipient_maps, and $relay_recipient_maps is not null.