How do I prevent postfix forgeries in "From:" rather than envelope?
Putting "dnalounge.com REJECT Forgery" in "sender_access" prevents inbound unauthenticated SMTP connections from forging my domain in the envelope, but doesn't reject messages like:
From: "firstname.lastname@example.org" <email@example.com>
Looking for a postfix solution, not a spamassassin solution.
Update: I have still not gotten an answer to this question that I understand or believe. Is the person below who said "you can only solve this by adding even more nonstandard complexity to master.cf" correct?
On gateway host (routing mail both in an out of internal net) use 2 separate `smtpd`'s and `cleanup`'s for inner and outer mail (separate smtpd for mail from outside could be a good idea anyway); reject anything looking like your domains in `header_checks` for outer `cleanup` (see e.g. https://www.postfix.org/BACKSCATTER_README.html#forged_sender)
I don't understand that in the slightest.
It's the MTA/MSA pattern. Look for "submission" in `master.cf`. This service listens on port 587, requires authentication, and doesn't reject mail that claims to be from your domain, because the sender is authenticated. Then the regular "smtp" service on port 25 *can* reject such mail.
I believe reject_unlisted_sender (to be stuck into smtpd_sender_restrictions) will do half of what you want. The other half looks like it could be implemented as a header_check, but then you're parsing the From-header and doing regular expression matching, and you know what you once said about that and two problems.
As is traditional with Postfix, I cannot figure out what the fuck reject_unlisted_sender does, but it does appear to be about envelopes, not headers. As I said, sender_access already takes care of forged envelopes.
In typical blog commenter fashion, not a complete solution and it's going to be a royal pain to keep updated.
Isn't that going to reject every legitimate email too? The spam messages are forged from email addresses that exist.
As I've said above, you need 2 smtpd processes, for external mail (rejecting your domain in headers, maybe with SASL auth and TLS etc) and for internal (maybe with relaxed restrictions). Also, to implement message body (and headers) checks you'll need 2 `cleanup` daemons; something like this:
1) replace stock "smtpd" line in master.cf with 2, "extaddr" being internal address or ip and "intaddr" being external hostname or ip; add 2nd "cleanup" service to handle header checks, like
# keep 1st "cleanup" in place, add 2nd with addl checks
cleanup_ext unix n - n - 0 cleanup
# maybe other options like "-o always_bcc=archive-box@localhost" etc
# replace stock smtpd with 2 on ext+int addresses
intaddr:25 inet n - n - 10 smtpd
extaddr:25 inet n - n - 10 smtpd
Or you could assume that authentic email arrives via submission and only outside mail arrives via smtp/s so you can add the "-o header_checks=..." only to the latter in master.cf.
DMARC potentially solves for this, but will make you itchy because it can make messaging forwarding trickier. I handle it on some of my domains by enabling a p=reject DMARC policy and using OpenDMARC with postfix to reject mail that fails DMARC (which means your legit mail has to be authenticated to pass that test), keeping bad guys from getting through when forging your domain.
From my production mail server main.cf
# Mail restrictions in the context of a client SMTP connection request
# Mail SMTP HELO restrictions
# Mail FROM restrictions
# Mail RCPT TO restrictions
# Free Spamhaus
header_checks = pcre:/etc/postfix/checks/header_checks.txt
body_checks = pcre:/etc/postfix/checks/body_checks.txt
$ cat /etc/postfix/maps/helo_checks
localhost REJECT Network Error: You are NOT localhost
localhost.localdomain REJECT Network Error: You are NOT localhost.localdomain
# M$ exchange
local REJECT Network error: .local is not a valid Top Level Domain
# ipaddr of the external mail server
NN.NN.NN.NN REJECT Network Error: You are NOT NN.NN.NN.NN
dnalounge.com REJECT Network Error: You are NOT dnalounge.com
I use header_checks.txt method above as more as a nuclear option/blacklist for e-mails banned from my server.