Reject incoming emails that use your own domain as sender

I found two possible methods, but maybe there is a better way.

1st method:

smtpd_sender_restrictions =
    reject_sender_login_mismatch,
    permit_sasl_authenticated,
    permit

Now I modified my smtpd_sender_login_maps to return an entry of admin if the domain exists in the domains table. This way a record is returned, even when the emailadress doesn't exist as maibox/alias, but not when a foreign domain is the from address.

table = domain
query = SELECT username AS allowedUser FROM mailbox WHERE username="%s" AND deleted_at IS NULL \
UNION SELECT goto FROM alias WHERE address="%s" AND active = 1 \
UNION select 'admin' from domain where domain = '%d'

2nd method:

This approach uses a check_sender_access lookup which returns a reject action if the domain is a virtual one and the user is not sasl_authenticated.

smtpd_sender_restrictions =
    reject_sender_login_mismatch,
    permit_sasl_authenticated,
    check_sender_access proxy:mysql:$config_directory/mysql_reject_virtual_domains.cf,
    permit

mysql_reject_virtual_domains.cf:

table = domain
query = select 'Reject 530 SMTP authentication is required' from domain where domain = '%d'

3rd method (thanks to masegaloeh):

smtpd_sender_restrictions =
    reject_sender_login_mismatch,
    permit_sasl_authenticated
    reject_unlisted_sender,
    permit

I don't know how many cpu-load/SQL-queries reject_unlisted_sender generates, as it checks quite many things:


Request that the Postfix SMTP server rejects mail from unknown sender addresses, even when no explicit reject_unlisted_sender access restriction is specified. This can slow down an explosion of forged mail from worms or viruses.

An address is always considered "known" when it matches a virtual(5) alias or a canonical(5) mapping.

  • The sender domain matches $mydestination, $inet_interfaces or $proxy_interfaces, but the sender is not listed in $local_recipient_maps, and $local_recipient_maps is not null.
  • The sender domain matches $virtual_alias_domains but the sender is not listed in $virtual_alias_maps.
  • The sender domain matches $virtual_mailbox_domains but the sender is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps is not null.
  • The sender domain matches $relay_domains but the sender is not listed in $relay_recipient_maps, and $relay_recipient_maps is not null.