Paul Kreiner's Postfix Notes and Patches

Postfix is a secure, reliable, flexible, and fast SMTP message transfer agent. I find its various anti-spam features to be particularly impressive, and as a result, I've created a few patches of my own:

In mid-2001, released a sender/domain validation patch for Postfix 1.1.x that was exceptionally useful for stopping delivery of spam with forged from: headers.

This particular type of UCE restriction has not, to my knowledge, been made available in Postfix v2, so I went ahead and ported it. The following patch applies against Postfix snapshot 20030717, but it should work for any Postfix 2.0.x release. YMMV, of course, but it's been working well at my site.

Sender/domain validation patch for Postfix 2.0.x (1.3 kb)

Basically, this patch implements a simplistic algorithm which verifies that the envelope sender's from: domain is correlated with the reverse-DNS of the mail server that is sending the mail to us. In other words, if a mail server connects from IP address, and sends us a message claiming to be from, we will check to see that reverse-resolves to an host. If it doesn't, then we will reject the mail attempt with a "sender/domain mismatch" error. Of course, mail from smaller domains, and mail from domains that don't have reverse-DNS properly set up, should NOT be checked against this rule, as they'll fail the check. This IS good, however, for checking mail which claims to be from popular domains, such as,,,,, etc.

Please read the full whitepaper at to get a better understanding of how this sender restriction works, and how/when to apply the check. The Monkeys also provide a list of about 4,400 commonly-forged domain names that can be used as a starting point when applying sender/domain validation.