0

Lately spammers are using my mail server to send emails to different addresses. For example, a colleague of mine received an email that was supposedly self-sent (it was not). Looking at the information in the email I find the following:

Received-SPF: softfail (domain.com: Sender is not authorized by default to use '[email protected]' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=mail.domain.com.py; identity=mailfrom; envelope-from="[email protected]"; helo="[45.159.74.66]"; client-ip=45.159.74.66.

How can I stop them from using my mail server to send this kind of emails? I understand that the problem is being the ~all mechanism, but if I modify this I understand that I will no longer be able to send emails from outside the company, is this correct?

It would be very helpful if you could guide me on how to solve this.

My mail server is Postfix.

EDIT:

My main.cf is this:

smtpd_delay_reject = yes

smtpd_helo_required = yes

smtpd_helo_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        check_helo_access hash:/etc/postfix/helo_access
        reject_invalid_helo_hostname
        reject_non_fqdn_helo_hostname
        reject_unknown_helo_hostname
        reject_unauth_pipelining
        reject_non_fqdn_hostname
        reject_invalid_hostname
        warn_if_reject reject_unknown_hostname
        permit


smtpd_sender_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unknown_sender_domain
        reject_unknown_reverse_client_hostname
        reject_unknown_client_hostname

policy_time_limit = 3600

smtpd_recipient_restrictions =
        reject_unknown_sender_domain
        reject_unknown_recipient_domain
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        check_policy_service unix:private/policy
        check_policy_service unix:/var/spool/postfix/postgrey/socket
        reject_unauth_pipelining
        reject_non_fqdn_hostname
        reject_non_fqdn_sender
        reject_invalid_hostname
        check_client_access hash:/etc/postfix/rbl_override
        reject_rhsbl_helo dbl.spamhaus.org
        reject_rhsbl_reverse_client dbl.spamhaus.org
        reject_rhsbl_sender dbl.spamhaus.org
        permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3]
        permit_dnswl_client swl.spamhaus.org
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client blackholes.mail-abuse.org
        reject_rbl_client sbl.spamhaus.org
        reject_rbl_client cbl.abuseat.org
        reject_rbl_client dul.dnsbl.sorbs.net
        reject_rbl_client sbl-xbl.spamhaus.org
        reject_rbl_client korea.services.net
        reject_rbl_client bl.csma.biz
        reject_rbl_client relays.ordb.org
4
  • 1
    Provide your postfix config and people will be able to tell you what could be fixed/improved. We can't guess. Commented Dec 7, 2023 at 11:51
  • if I modify this I understand that I will no longer be able to send emails from outside the company - you will not be able to send mails from servers that are not authorized to do so via the SPF record. On the other hand, as long as it is set to ~all the whole record is useless. Commented Dec 7, 2023 at 11:54
  • Thank you for taking the time to answer my question Gerald. I just edited my initial post with my main.cf configuration. Did you mean this?
    – np1
    Commented Dec 7, 2023 at 11:56
  • Lately spammers are using my mail server to send emails to different addresses. This seems unlikely, given that the email contains a softfail header. If the mail was indeed originated from your server, that would be a pass (unless the SPF record is completely wrong). Is 45.159.74.66 (or whatever IP was in the email) actually your server's address?
    – Lacek
    Commented Dec 7, 2023 at 12:38

2 Answers 2

0

As Gerald already pointed out, SPF setup can be improved without any issue (I suppose).

Moreover, in order to add, on top of SPF, another layer of security, I suggest you to activate DKIM authentication method on your domain.

Basically you have to add a TXT record in your domain containing a public key properly set by your SMTP provider. With GMAIL is pretty easy, you can find a very clear guide at the following link.

Once active, only your SMTP server has the private key able to properly sign your outgoing emails and every recipient can check the authenticity of your messages using the public key publicly available on your domain TXT record.

It's something like the following (from here):

v=DKIM1; p=76E629F05F709EF665853333EEC3F5ADE69A2362BECE40658267AB2FC3CB6CBE

Later, you can also activate the DMARC record so you can tell receiving servers what to do with outgoing messages that don’t pass SPF or DKIM. You can also receive a daily report with all the emails sent from your domain and some details about the sender IP address. Its verbosity can be reduced otherwise it can be overwhelming...

0

I would recommend to integrate postfix with spamassian. https://www.linuxbabe.com/mail-server/block-email-spam-check-header-body-with-postfix-spamassassin

I would implement these configuration directives to harden your postfix

    myhostname = hostname
    myorigin = domain 
    mydomain = domain 
    mydestination = $myhostname, localhost.$mydomain, localhost, example.com
    mynetworks = 127.0.0.0/8
    smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
    relay_domains = 
    relay_host = 

Especially mydestination is important there you specify which domains to accept mail for.

It might be worth to use a service like sendgrid to send mail through. Then you can use smtp over tls. https://docs.sendgrid.com/for-developers/sending-email/postfix. And sendgrid has become a well known service as outgoing mta as a service

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .