sure, where is postconf -n ? :=)

its simple with postfix to reject own domains in postfix port 25, and
reqire sasl auth on port 587 and port 465

it does not really need spf

Are you talking about the From: header? That header is not
protected by SPF; you'll need to find another way to detect spam
with forged From: headers.

Forged From: headers are a difficult problem to solve. For example,
this message claims to be From me, but the actual sender is the
postfix-users list.


-- Noel Jones

The server is *just* a spam-filtering relay. It does no authentication.
Authenticated sending is done via the Exchange server ... which then
relays through this pair of mail servers. Port 25 is all there is. Any
email generated by local servers uses this pair of servers to send.

I do have a complete list of all valid local relay destination
addresses, which gets autogenerated every 15 minutes. I do have logic
in the autogeneration to limit the number of lines that can be deleted
automatically, to prevent accidental errors. This list is used by
relay_recipient_maps.

Yes, I know all about the evils of Exchange, but I don't get a choice in
that department. That's what the company uses for corporate email
accounts, and it's not going to change. I'm using postfix so that SMTP
on Exchange is not exposed directly to the Internet.

Here's a slightly redacted postconf -n. I replaced our domain name with
REDACTED and some public IP addresses with OBFUSCATED:

========================
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks
bounce_queue_lifetime = 1d
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
enable_long_queue_ids = yes
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
mailbox_size_limit = 524288000
maximal_queue_lifetime = 2d
message_size_limit = 52428800
mydestination = nexus1.REDACTED.com, localhost.REDACTED.com,
localhost.localdomain, localhost
myhostname = nexus1.REDACTED.com
mynetworks = 10.2.1.39 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16 OBFUSCATED/24 OBFUSCATED/24 OBFUSCATED/28 OBFUSCATED
OBFUSCATED/23 OBFUSCATED OBFUSCATED OBFUSCATED OBFUSCATED
myorigin = /etc/mailname
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/client_access, cidr:/etc/postfix/postcreen_access,
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_ttl = 4h
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
readme_directory = no
recipient_delimiter = +
relay_domains = $mydestination, hash:/etc/postfix/local_domains
relay_recipient_maps = hash:/etc/postfix/relay_recipients
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_count_limit = 8
smtpd_client_connection_rate_limit = 12
smtpd_client_restrictions = permit_mynetworks, check_recipient_access
hash:/etc/postfix/spam_lovers, check_client_access
regexp:/etc/postfix/client_regexp, check_client_access
cidr:/etc/postfix/client_access, reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
smtpd_data_restrictions = check_client_access
cidr:/etc/postfix/rule_breakers, reject_unauth_pipelining,
permit_mynetworks, reject_multi_recipient_bounce
smtpd_delay_reject = yes
smtpd_error_sleep_time = 15
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, sleep 2,
check_recipient_access hash:/etc/postfix/spam_lovers,
check_recipient_access hash:/etc/postfix/recipient_access,
reject_non_fqdn_recipient, reject_unauth_destination,
reject_unknown_recipient_domain, reject_unlisted_recipient,
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sender_restrictions = permit_mynetworks, check_recipient_access
hash:/etc/postfix/spam_lovers, check_sender_access
hash:/etc/postfix/sender_access, reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_soft_error_limit = 2
smtpd_tls_cert_file = /etc/ssl/certs/local/wildcard.combined.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = hash:/etc/postfix/virtual
========================

Basically, if something doesn't pass permit_mynetworks, and the envelope
sender (not the From: header) is an address with a domain name that's
mentioned in hash:/etc/postfix/local_domains, I want to reject the
message. Is that possible? If necessary, I could create a second copy
of local_domains that has "reject" instead of "ok" on all lines.

Thanks,
Shawn

if local_domains contains domains local, you can reject senders that
forge sender AFTER permit_sasl_auth...

postfix is always first match wins

google check_sender_access

http://www.postfix.org/SASL_README.html

so its just in what order with hash file wins first to make it work

if mynetworks contains too many ips its openrelay for them in that case
remove permit_mynetworks or place it AFTER sender accesss, remember
permit_mynetworks must accept email without @

You're mentioning authentication again. As I said once already, this
postfix server does NOT authenticate users. It only listens on port 25,
not port 587. I might have enabled 465, but I do not remember. All
user accounts and mailboxes are on the Exchange server, and users can
connect directly to Exchange over encrypted channels.

The pair of postfix servers are mail relays and authoritative DNS
servers. Our MX record points to a VIP that can float between the two
servers. They serve as a spam/virus filter for mail headed to and
coming from the Exchange server, and have a second role as a smarthost
for internal systems that need to send notification email. The only
"authentication" done for the smarthost role is source IP --
permit_mynetworks.

I have no interest in postfix validating "From" headers, but if the
envelope sender contains one of my domains and the sending server is not
in mynetworks, I want postfix to reject it. Is that possible?

Thanks,
Shawn

sorry about that
sorry about that aswell
there you go
yes thats ok, but how does users from exchange send mail ?, its a bug to
use port 25
all that is ok
this is not a job for postfix, if you want From: header policy use
opendkim in postfix

Yes, quite possible and widely used.

main.cf:
indexed = ${default_database_type}:${config_directory}/
smtpd_sender_restrictions =
check_sender_access ${indexed}smtp-from

smtp-from:
example.com permit_mynetworks, reject
.example.com permit_mynetworks, reject