Issue Blocking spoofed mail from my own domain on Plesk? (PHP mail() compatibility)

[Azurel]

Server operating system version

AlmaLinux 8.10

Plesk version and microupdate number

Plesk Obsidian 18.0.73#3

Hello,

I receive spoofed emails claiming to be from addresses on my own domain from external unknown IPs.
SPF, DKIM, and DMARC are configured correctly.

My goals:

• Only block emails spoofing for my own domains from external sources
• Allow local PHP mail() and Plesk processes

Is there a safe and effective way in Plesk to do this?

Currently smtpd_sender_restrictions in /etc/postfix/main.cf is this:

smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated

I'm considering to change this to:

smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, permit_mynetworks, reject_authenticated_sender_login_mismatch, reject_sender_login_mismatch, reject_unauth_destination

Are these additions useful, and where should I place them? /etc/postfix/main.cf may be overwritten during updates, which would make my changes lost.

Thanks for advice!

 

[Sebahat.hadzhi]

I cannot confidently confirm whether the options you are planning to add won't cause any conflicts. Regarding the spoofing issue, maybe this could help:

• https://support.plesk.com/hc/en-us/...ect-a-Plesk-mail-server-against-mail-spoofing

 

[Azurel]

Thanks for the link, but unfortunately that doesn’t really help. I don’t want to reject all incoming emails — only the fake ones that appear to come from my own domain. In this case, the SPF setting is just too strict. And I definitely won’t buy an extension for something that should really be included in Plesk by default for security reasons. And I doubt that the extension even does what I'm looking for.

 

[Azurel]

I found this feature request: https://features.plesk.com/c/252-customize-etc-postfix-main-cf
Is there currently any supported or update-safe way to make this kind of change or would this only become possible once that feature request is implemented?

Why doesn’t Plesk include protection against forged mail from one’s own domain by default? It feels like a very basic and reasonable security expectation? However, I'm no postfix expert. Therefore, it would be nice to hear why this has not been done so far.