Paul Kreiner's Postfix Notes and Patches
Postfix is a secure, reliable, flexible, and fast SMTP message
transfer agent. I find its various anti-spam features to be particularly impressive, and as a result,
I've created a few patches of my own:
In mid-2001, Monkeys.com released a
sender/domain validation patch for Postfix 1.1.x that was exceptionally useful for stopping
delivery of spam with forged
from: headers.
This particular type of UCE restriction has not, to my knowledge, been made available in Postfix v2,
so I went ahead and ported it. The following patch applies against Postfix snapshot 20030717, but it
should work for any Postfix 2.0.x release. YMMV, of course, but it's been working well at my site.
Sender/domain validation patch for Postfix 2.0.x (1.3 kb)
Basically, this patch implements a simplistic algorithm which verifies that the envelope sender's
from: domain is correlated with the reverse-DNS of the mail server that is sending the mail to us.
In other words, if a mail server connects from IP address 10.2.3.4, and sends us a message claiming to be
from
abuse@msn.com, we will check to see that 10.2.3.4 reverse-resolves to an
msn.com host.
If it doesn't, then we will reject the mail attempt with a "sender/domain mismatch" error. Of course,
mail from smaller domains, and mail from domains that don't have reverse-DNS properly set up, should NOT
be checked against this rule, as they'll fail the check. This IS good, however, for checking mail
which claims to be from popular domains, such as msn.com, hotmail.com, yahoo.com, excite.com, aol.com, etc.
Please read the
full
whitepaper at Monkeys.com to get a better understanding of how this sender restriction works, and
how/when to apply the check. The Monkeys also provide a list of about 4,400 commonly-forged domain
names that can be used as a starting point when applying sender/domain validation.
