NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-12

"Dunce Moment" as regards to spoofing email headers (spam)

From: Ronald MacDonald (ronaldrmacd.com)
Date: Mon Dec 01 2008 - 14:11:57 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear list,

It's been a hectic couple of weeks, and I'm getting complaints from
users after having upgraded to a new system that mails are coming in
which have been spoofed. I see exactly what's going on - a rogue
system opens up port 25 on my system, tells it the mail's from one of
the users on the system, and then sends the mail to the same user,
completely bypassing my content-filter (amavis) as it's not checked
against the sender or recipient restrictions, somehow.

However, in one of those "crap, what do I do now" moments, I'm
confuzzled as to how to get Postfix to realise that the mail *should*
be checked, since it's coming in from outside the network.

My postconf -n is as follows:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 4h
fallback_transport = virtual
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = /usr/bin/maildrop
mailbox_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_checks
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = mail.rmacd.com
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
notify_classes = resource, software, delay
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf,
lists.rmacd.com
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions =
smtpd_delay_reject = yes
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination, permit_mynetworks,
reject_invalid_hostname, reject_unknown_sender_domain
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions =
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 450
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:1002
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 104857600
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 1000
virtual_transport = virtual
virtual_uid_maps = static:1002

Any ideas as to what might be the best way to fix this?

Kind regards,
Ronald.

--
Ronald MacDonald
http://www.rmacd.com/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]