Looks like it's time for another send of my irregular and still-evolving
rant about split-brained direction-sensitive mailers again. This hasn't
turned into a whitepaper yet, but possibly should someday.

Short answer is you need to run two MTA instances, one for inbound mail
and one for outbound, with different rules governing each, and surrounding
infrastructure to support directing traffic the right ways. Postfix in
particular lets you to do this really easily, with its inet_interfaces
directive allowing versatile use of alias IP addresses on one box.

You want your mail environment to have a clear sense of direction and where
the perimeter is, so it can do proper anti-spoofing. Just like you deny
packets claiming to be from your own network in your inbound IP filters,
you can handle SMTP data the same way. Basically, anyone outside your local
networks who sends mail claiming to be from your site is LYING. You can
deal with this at several points in the transaction by which mail arrives
from the outside -- HELO, MAIL-FROM, and headers.

On the inbound side, "HELO mydomain.org" or "HELO anything.mydomain.org"
is clearly a lie, to be flat-out rejected.

"MAIL FROM: <someusermydomain.org>" is most likely a lie, but may be a
side effect of external mailing-list handlers that use the original message
sender's envelope address instead of something of their own, such as
owner-listnameexternalsite.org. The first approach to solving this
problem is to get the external list maintainer to run better mailing-list
software that supplies a more generic envelope address for bounces to go
back to, instead of just resending with the original sender's envelope
address. If that fails, you can still reject inbound mail that appears to
be spoofed, with the possible effect of pissing off any internal users that
want to participate in such forums. An alternative action is to DROP such
mail instead, but that requires hacking the Postfix source.

Consider From: and Sender: and Reply-to: headers in a similar fashion.

Users need to understand why the perimeter protection exists and where it is
located, and need to avoid assuming the wrong identity for where they are
currently sitting. If policy dictates that you can't reject spoofed-looking
mail, you can and should at the very least use entries in sender_canonical_maps
to rewrite any addresses claiming to be from your own domain into something
clearly from the outside, to prevent internal users from being duped into bad
actions from falsified messages from fellow employees, their bosses, etc.
E.g. in a regex file pointed to by sender_canonical_maps ...

  /(..*)mydomain.org$/ $1-FROM-OUTSIDEMAYBE-mydomain.org

This won't help the problem of spammers who fake sender addresses within
the same domain that they're targeting, but at least avoids the potential
for dangerous confusion. Hopefully you can find other message criteria on
which to reject or drop the outright spam, and still work toward a cleaner
internet in general.

_H*
-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]