Paul Kreiner's Postfix Notes and Patches

Postfix is a secure, reliable, flexible, and fast SMTP message transfer agent. I find its various anti-spam features to be particularly impressive, and as a result, I've created a few patches of my own:

In mid-2001, Monkeys.com released a sender/domain validation patch for Postfix 1.1.x that was exceptionally useful for stopping delivery of spam with forged from: headers.

This particular type of UCE restriction has not, to my knowledge, been made available in Postfix v2, so I went ahead and ported it. The following patch applies against Postfix snapshot 20030717, but it should work for any Postfix 2.0.x release. YMMV, of course, but it's been working well at my site.

Sender/domain validation patch for Postfix 2.0.x (1.3 kb)


Basically, this patch implements a simplistic algorithm which verifies that the envelope sender's from: domain is correlated with the reverse-DNS of the mail server that is sending the mail to us. In other words, if a mail server connects from IP address 10.2.3.4, and sends us a message claiming to be from abuse@msn.com, we will check to see that 10.2.3.4 reverse-resolves to an msn.com host. If it doesn't, then we will reject the mail attempt with a "sender/domain mismatch" error. Of course, mail from smaller domains, and mail from domains that don't have reverse-DNS properly set up, should NOT be checked against this rule, as they'll fail the check. This IS good, however, for checking mail which claims to be from popular domains, such as msn.com, hotmail.com, yahoo.com, excite.com, aol.com, etc.

Please read the full whitepaper at Monkeys.com to get a better understanding of how this sender restriction works, and how/when to apply the check. The Monkeys also provide a list of about 4,400 commonly-forged domain names that can be used as a starting point when applying sender/domain validation.