Prevent mail server spoofing

You can configure Postfix to watch for messages that are coming from other servers masquarading as your mail server.

While greylisting is enabled by default with mail service, as an added precaution you can have Postfix watch for other mail servers masquarading as your mail server. This can further decrease possible spam to your users.

  1. Make a back up of the /Library/Server/Mail/Config/postfix/main.cf file:

    sudo cp /Library/Server/Mail/Config/postfix/main.cf /Library/Server/Mail/Config/postfix/main.bak
  2. Open /Library/Server/Mail/Config/postfix/main.cf in a text editor.

  3. Modify or replace the existing smtpd_helo_restrictions entry to match the following:

    smtpd_helo_restrictions = check_helo_access hash:/Library/Server/Mail/Config/postfix/helo_access reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
  4. Create the /Library/Server/Mail/Config/postfix/helo_access file:

    sudo touch /Library/Server/Mail/Config/postfix/helo_access
  5. Open /Library/Server/Mail/Config/postfix/helo_access in a text editor and add the following lines, substituting MailServerIPAddress and MailServerDomainName as appropriate (add additional lines for additional domain names your mail server may be using):

    MailServerIPAddress REJECT You aren’t me. MailServerDomainName REJECT You aren’t me.
  6. Update the Postfix lookup tables:

    sudo /usr/sbin/postmap /Library/Server/Mail/Config/postfix/helo_access
  7. Verify your changes:

    sudo /usr/sbin/postfix check
  8. Restart mail service in the Server app or from the command line with:

    sudo /usr/sbin/postfix reload