1

We are running inbound mail services using postfix for a large number of domains and looking to reject more junk email earlier in the path.

We have already implemented the postconf setting remote_header_rewrite_domain = domain.invalid, which means that any email arriving for any of our domains without a domain in the From: header will get @domain.invalid appended.

This is fine - but we want to tighten it further, and reject messages with malformed From: headers instead of just 'marking' them.

There is the postfix header_checks acl that allows a PCRE expression to match any header and make a decision based on that.

Does the header_checks acl get checked before the remote_header_rewrite_domain -- or after? (which would allow us to use @domain.invalid in our PCRE)

Can anyone see an issue with rejecting email based on a missing domain in the From: header?

Thanks!

CrayFishUK
  • 119
  • 1
  • 3
  • 7

1 Answers1

0

Because messages by design must have a domain in all specified header addresses, it is not unreasonable to treat your replacement domain similar to other top level domains that indicate spam. But it may be unnecessarily strict. Because lacking the domain is neither common outside of harmless mistakes and bugs, nor outperforming other phishing tricks, do not create a new special case for something that is not really that special.

E.g. Do not start blocking those messages that do have a name, just one without domain.. while at the same time still allowing messages with such header containing a group name and nothing else.

Postfix header_checks with PCRE is not the right tool, because it cannot parse the complex structure of the address headers and would treat even reasonable occurrences of your replacement string incorrectly. Remember, the from header is a mailbox list, it can contain group names, comments, folding, escaping, display names, .. If you already have something that mostly correctly parses RFC5322, configure your list of worst domains there.

anx
  • 8,963
  • 5
  • 24
  • 48