Lately spammers are using my mail server to send emails to different addresses. For example, a colleague of mine received an email that was supposedly self-sent (it was not). Looking at the information in the email I find the following:
Received-SPF: softfail (domain.com: Sender is not authorized by default to use '[email protected]' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=mail.domain.com.py; identity=mailfrom; envelope-from="[email protected]"; helo="[45.159.74.66]"; client-ip=45.159.74.66.
How can I stop them from using my mail server to send this kind of emails?
I understand that the problem is being the ~all
mechanism, but if I modify this I understand that I will no longer be able to send emails from outside the company, is this correct?
It would be very helpful if you could guide me on how to solve this.
My mail server is Postfix.
EDIT:
My main.cf is this:
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
reject_unauth_pipelining
reject_non_fqdn_hostname
reject_invalid_hostname
warn_if_reject reject_unknown_hostname
permit
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unknown_sender_domain
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
policy_time_limit = 3600
smtpd_recipient_restrictions =
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:private/policy
check_policy_service unix:/var/spool/postfix/postgrey/socket
reject_unauth_pipelining
reject_non_fqdn_hostname
reject_non_fqdn_sender
reject_invalid_hostname
check_client_access hash:/etc/postfix/rbl_override
reject_rhsbl_helo dbl.spamhaus.org
reject_rhsbl_reverse_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3]
permit_dnswl_client swl.spamhaus.org
reject_rbl_client zen.spamhaus.org
reject_rbl_client blackholes.mail-abuse.org
reject_rbl_client sbl.spamhaus.org
reject_rbl_client cbl.abuseat.org
reject_rbl_client dul.dnsbl.sorbs.net
reject_rbl_client sbl-xbl.spamhaus.org
reject_rbl_client korea.services.net
reject_rbl_client bl.csma.biz
reject_rbl_client relays.ordb.org
if I modify this I understand that I will no longer be able to send emails from outside the company
- you will not be able to send mails from servers that are not authorized to do so via the SPF record. On the other hand, as long as it is set to~all
the whole record is useless.45.159.74.66
(or whatever IP was in the email) actually your server's address?