Issue Blocking spoofed mail from my own domain on Plesk? (PHP mail() compatibility)

[Azurel]

Server operating system version

AlmaLinux 8.10

Plesk version and microupdate number

Plesk Obsidian 18.0.73#3

Hello,

I receive spoofed emails claiming to be from addresses on my own domain from external unknown IPs.
SPF, DKIM, and DMARC are configured correctly.

My goals:

• Only block emails spoofing for my own domains from external sources
• Allow local PHP mail() and Plesk processes

Is there a safe and effective way in Plesk to do this?

Currently smtpd_sender_restrictions in /etc/postfix/main.cf is this:

smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated

I'm considering to change this to:

smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, permit_mynetworks, reject_authenticated_sender_login_mismatch, reject_sender_login_mismatch, reject_unauth_destination

Are these additions useful, and where should I place them? /etc/postfix/main.cf may be overwritten during updates, which would make my changes lost.

Thanks for advice!

 

[Sebahat.hadzhi]

I cannot confidently confirm whether the options you are planning to add won't cause any conflicts. Regarding the spoofing issue, maybe this could help:

• https://support.plesk.com/hc/en-us/...ect-a-Plesk-mail-server-against-mail-spoofing

 

[Azurel]

Thanks for the link, but unfortunately that doesn’t really help. I don’t want to reject all incoming emails — only the fake ones that appear to come from my own domain. In this case, the SPF setting is just too strict. And I definitely won’t buy an extension for something that should really be included in Plesk by default for security reasons. And I doubt that the extension even does what I'm looking for.

 

[Azurel]

I found this feature request: https://features.plesk.com/c/252-customize-etc-postfix-main-cf
Is there currently any supported or update-safe way to make this kind of change or would this only become possible once that feature request is implemented?

Why doesn’t Plesk include protection against forged mail from one’s own domain by default? It feels like a very basic and reasonable security expectation? However, I'm no postfix expert. Therefore, it would be nice to hear why this has not been done so far.

 

[Kaspar]

I found this feature request: https://features.plesk.com/c/252-customize-etc-postfix-main-cf
Is there currently any supported or update-safe way to make this kind of change or would this only become possible once that feature request is implemented?

For what it is worth, I've been using a customized Postfix setup with Plesk for many years and never has the main.cf file been overwritten by Plesk. So I think it's safe to say that the likelihood of the main.cf getting overwritten is pretty small. With that being said, it always good to make your own copies/backups of the file when you do decide to customize the configuration.

Why doesn’t Plesk include protection against forged mail from one’s own domain by default? It feels like a very basic and reasonable security expectation? However, I'm no postfix expert. Therefore, it would be nice to hear why this has not been done so far.

It's actually quite common to use different external services and configure them to send email using your own domain. For example, I am using an external billing service that sends invoices to my customers. I've configured the billing service to use an email address belong to my domain as the sending address. I also configured my registrar to use my domain to send any email notifications regarding domains expiry, renewal, ect to my customers. I also have a lot of customers who host their email with me, but have their website hosted elsewhere. They still want to receive notifications from their websites.

A server doesn't know whether or not an email it receives from your own domain is legitimated or not. Because, just like in my examples, it's very common for email from one domain to originate from different (external) servers. They primary way to authenticate which server is allowed to sent email for a particular domain is trough the use of SPF and DMARC (in combination with DKIM).

I am a little bit confused that you're saying that "the SPF setting is just too strict", while the Postfix configurations your considering are way more restrictive in my option. As these configurations would apply to all domains on your server. It also does not affect the spoofing of your domain between other servers. But everyone's needs are different. So this might be a good solutions for you, but I think it's not the most useful solution for most other users. Which is why it's probably not the default Postfix configuration used by Plesk.