On 15 Jul 2019, at 18:11, Trever L. Adams via dovecot <dovecot@dovecot.org> wrote:
So, one of the problems I am seeing is that people are trying to fake users into revealing information by sending from an outside domain but with an internal reply to address and claiming to be administration, IT or what not.
You should not accept external mail claiming to be from your domain unless that mail comes via authenticated submission. But if the reply to is going to an internal address…
I’m puzzled by exactly what you mean here. Are you saying that users on your system are trying to phish other users on your system?
I can set up something that will reject if from is outside the domain by reply to is internal. The problem is in some setups, there are fetchmail setups. I do not want to reject these with a message. Which is what I am currently doing for the others. Maybe I should discard them all without rejecting.
I haven’t used fetch mail in many many years, so I can’t answer anything specifically about it, but if you use it to allow external senders to send mail via your system in a way that is not authenticated then you should not do that.
-- NON-FLAMMABLE IS NOT A CHALLENGE Bart chalkboard Ep. BABF13