When managing a Postfix mail server, one particularly annoying attack vector is when spammers send emails using your own domains as the sender address (envelope FROM). While reject_sender_login_mismatch handles authenticated users attempting to spoof addresses, it doesn't cover unauthenticated senders using non-existent addresses in your domains.
Here's a robust solution that combines several Postfix features:
# In main.cf
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_access,
reject_authenticated_sender_login_mismatch,
reject_unauthenticated_sender_login_mismatch
# Create sender_access file
touch /etc/postfix/sender_access
postmap /etc/postfix/sender_access
For each virtual domain you own (example.com), add this to sender_access:
@example.com REJECT Unauthenticated use of our domain
If you need exceptions (like for specific mailing lists):
# Whitelist specific senders
legit-sender@example.com OK
mailing-list@external.com PERMIT
Even with softfail, you can still use SPF checks as additional criteria:
smtpd_recipient_restrictions =
check_policy_service unix:private/policy-spf,
...other restrictions...
Always verify with:
postmap -q @yourdomain.com hash:/etc/postfix/sender_access
postfix reload
Then test by sending from an external address using your domain as the sender.
Regularly check your mail logs for rejected messages:
grep 'REJECT Unauthenticated' /var/log/mail.log
Update your sender_access file whenever you add new domains or need new exceptions.
As a mail server administrator, you've likely encountered spam where attackers spoof your own domain in the MAIL FROM or From: headers. While reject_sender_login_mismatch prevents existing accounts from being spoofed, it doesn't stop non-existent addresses in your domains.
Here's a robust method using Postfix's smtpd_sender_restrictions that works independently of SPF/DKIM:
# /etc/postfix/main.cf
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_checks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauthenticated_sender_login_mismatch,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
Create /etc/postfix/sender_checks with your virtual domains:
# Format: address ACTION
yourdomain.com REJECT Unauthorized domain usage
.example.com REJECT Unauthorized subdomain usage
Compile the map:
postmap /etc/postfix/sender_checksFor stricter validation when possible, add SPF checks:
smtpd_recipient_restrictions =
...
check_policy_service unix:private/policy-spf
...
Verify with Postfix's built-in tools:
postmap -q yourdomain.com hash:/etc/postfix/sender_checks
postfix check
postfix reload
Test by sending from an external address using your domain as the sender.
For mailing lists and forwards that break SPF, create exceptions:
# /etc/postfix/sender_checks
important-newsletter@yourdomain.com PERMIT
Check your mail logs for rejected messages:
grep 'REJECT Unauthorized domain usage' /var/log/mail.log