|
|
|
|
|
|
by VladVladikoff
472 days ago
|
|
|
It's good to hear you are working on 2FA that is certainly one of the biggest requests we receive lately for our self hosted email, and has almost pushed me to switch to cloud based services. With regards to thunderbird and 2FA, it appears that there are some third party solutions, i don't quite understand how they work, looks like they are using SAML or something. https://www.miniorange.com/thunderbird-2fa-mfa-two-factor-au... To give you an example for the BEC filters we are using, we use the postfix header checks with a negative lookhead regex. For example: # /etc/postfix/header_checks
# block impersonations
/^From:\s"?Firstname.*(Lastname)?"?.*?<(?!(.*@domain1\.com|.*@domain2\.com|.*@domain3\.com|personal\.email\.account@gmail\.com)>).*$/ REJECT Sorry the server is busy right now.
I would say that this approach is certainly not ideal, it's hacky and manually maintained. I personally believe that a smart mail server should be aware of what it's users use for firstname-lastname-email.address@domain.tld combinations and it should either block or soft block (show warning badges in the webmail client) mail which does not follow the pattern of the defined users.We also use the mime header checks to block some bad attachment types (this is kind of oldschool there are certainly more modern approaches) # /etc/postfix/mime_header_checks
# block bad attachments
/^\s*Content-(Disposition|Type).*name\s*=\s*"?([^;]*\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|htm|html|inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|sh|shm|swf|vb[esx]?|vxd|wsc|wsf|wsh)\b)(\?=)?"?\s*(;|$)/x REJECT Attachment name "$2" may not end with ".$3"
Re #4 yes, I agree, modifying the actual the mail breaks DKIM, you can really only do this in webmail. |
|
|