While working on figuring out a way to block email sent to and from external users, without blocking email to or from internal domain and allowing relay…. I had this idea: What if I could check the SPF record of a domain when checking the from header of a domain. This would allow me to dynamically permit emails from any MTA that the domain administrator has already permitted on their end.
So here’s the concept.
Postfix policy when in the initial mail header phase, checks the RFC5321.MailFrom header, and then does the following lookups
- Check if the from domain is listed in the local whitelist database
- Check the local cache (defined later)
- Check the value of a new variable, dns_lookup=true/false
- if true: lookup the public ip address of the mta serve with curl
- if false: check if the IP address is in the var
- Check either the IP from DNS or the predefined public ip address against the from domain’s SPF record.
- if an exact positive match (standard spf check, ignoring the results of ~all, +all, ?all, etc) save the positive result to a local cache.
- otherwise save it as rejected, and reject the message with a 554 sender address verification failed.
This will do a few things.
- Help keep spam from leaving your network
- Help prevent email spoofing attacks
- Help prevent bounce attacks from 3rd party mail systems rejecting spf at the inbound mx
- Keep spools low on the outbound MTAs
There’s a ton of postfix addons out there. I haven’t tried them all, but I don’t see one that fits the bill.
Oh, the initial concept Q/A post here at serverfault.