Trix wrote:
> Does anyone know of a method whereby we can reject messages that are
> being relayed that are supposedly coming from the recipient? Eg: sender
> = user@domain.com; recipient = user@domain.com. Any such restriction
> would come after permit_mynetworks, since of course we don't mind if
> people send to themselves internally.
>
> I was thinking of header checks, but since they're evaluated
> line-by-line, perhaps it's not possible. And if we can, I wouldn't have
> the faintest clue where to start. Does anyone have any ideas?

I think you are talking about rejecting email from the Internet
where the FROM address is forged, pretending to be a valid local user?

If so:

List all your domain names in a file called /etc/postfix/rejectmydomains:
domain1.com REJECT
domain2.com REJECT

Configure smtpd_sender_restrictions to be something like this:

smtpd_sender_restrictions = reject_non_fqdn_sender,
check_sender_access proxy:hash:/etc/postfix/senders,
reject_non_fqdn_sender,
permit_mynetworks,
permit_sasl_authenticated,
check_sender_access proxy:hash:/etc/postfix/rejectmydomains,
reject_unknown_sender_domain,
permit

This will reject email that uses your domain names in the sender address,
unless they match permit_mynetworks or permit_sasl_authenticated. Additionally,
the /etc/postfix/senders file can be used for exclusions. Or you can insert a
smtpd_client_restrictions map ahead of rejectmydomains, and allow exclusions
based on IP addresses.

--
Greg