SMTP clients are required to pass user authentication before sending emails to other domains (relay). And we can use smtpd_sender_restrictions to make sure the MAIL FROM address matches the authenticated user. But how to make sure the From address in the mail header matches the MAIL FROM address? We also want to limit Reply-To header, so spam senders can hardly use our SMTP server, even if they break some of the user passwords.
Asked
Active
Viewed 5,869 times
6
Gary Shi
- 171
- 1
- 5
-
Are you meaning to do this _only_ for authenticated users? There are many cases where it's impossible to enforce that the envelope sender matches the From: line. It may be that by enforcing this restriction _only_ for authenticated users, that you can get away with this, though. (This is speaking from a practicality of use standpoint--not an implementation standpoint) – Flimzy Jul 01 '11 at 08:56
-
Yes _only_ for authenticated users, because only authenticated users can use the SMTP server as a relay. – Gary Shi Jul 01 '11 at 09:20
-
Aside from the annoyance to your legitimate users from that `Reply-To:` restriction, don't forget what RFC 5322 section 3.6.2 actually allows for originator headers. – JdeBP Jul 01 '11 at 09:27
-
Yes, limiting `Reply-To` only applies to organization's specific IT policy. – Gary Shi Jul 01 '11 at 10:15
-
1For future readers, I ran into a similar problem, After a lot of digging around I finally came up with a solution. See here: https://serverfault.com/a/972964/94158 – Philip Couling Jun 27 '19 at 09:03
3 Answers
0
While postfix is unable to match these two fields, nowadays the milter and filter interfaces of postfix that can do, are reasonably reliable and accessible from scripting languages.
To add a program that checks mail received via SMTP, add its listening socket to /var/spool/postfix/directory/name.sock and point postfix to the relative path like unix:directory/name.sock - or have it listen on localhost and specify a port:
smtpd_milters = inet:localhost:30072
A working example of a milter that matches the header address against the envelope address is vrfydmn which is distributed in Debian & Ubuntu.
Be sure to not accidentally apply your local policy to external mail, as it is valid and common to receive mail differing envelope from, header from and reply-to address. In most setups this separation is already sufficiently achieved by only adding this milter configuration in your master.cf to your smtps port (and submission, if enabled) i.e. the port(s) exclusively accepting authenticated mail.
anx
- 6,875
- 4
- 22
- 45
-
Yeah I know, necroposting; This was one of the top voted "unanswered" question for far too long after a working solution already ships in common distros. – anx Dec 01 '20 at 04:16
0
If You want to do re-write mail headers, you'll have to have postfix pass the mail through some program which does the re-writing. Have a look at documentation for something like policyd for how that interaction works.
However, I'm not convinced that what you're describing is a good idea, or helpful with spam. If you can't rely on the behaviour of authenticated users, then you need to do content filtering much as you'd do for mail coming in for mail from unknown sources coming to your users.
mc0e
- 5,786
- 17
- 31
-
1How is that even an answer when it mostly describes the problem again? Has anyone found a concrete solution to this? I've been struggling for some time and I can't find it. Trusting the clients because they use authentication doesn't satisfy me, even if it's a crucial part of the flow. – Lethargos Apr 06 '20 at 17:10
-2
header_checks = pcre:/etc/postfix/header_checks
And in the file header_checks example data:
/^Content-(Type|Disposition):.*(file)?name=.*(\.|=2E)(ade|adp|bas|bat|chm|cmd|com|cpl|crt|hlp|hta|inf|ins|isp|js|jse|lnk|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|vbe|vbs|wsc|wsf|wsh|mim|b64|bhx|hqx|xxe|uu|uue)"/ REJECT Sorry, we do not accept .${4} file type.
/^Content-(Type|Disposition):.*(file)?name=.*\.([a-z]+\.exe)"/ REJECT Sorry, we do not accept double extension .${3} file type.
/^(Received: from|X-Originating-IP:|OriginalSenderIP:|X-AOL-IP:) \[?196\.[0-9]+\.[0-9]+\.[0-9]+\]?/ REJECT nigerian spam/scam/419 detected
/^(Received: from|X-Originating-IP:|OriginalSenderIP:|X-AOL-IP:) \[?82\.128\.([0-9]|[0-9][0-9]|1[0-1][0-9]|12[0-7])\.[0-9]+\]?/ REJECT nigerian spam/scam/419 detected
/^(Received: from|X-Originating-IP:|OriginalSenderIP:|X-AOL-IP:) \[?86\.62\.([0-9]|[0-6][0-9]|6[0-3])\.[0-9]+\]?/ REJECT nigerian spam/scam/419 detected
/^(Received: from|X-Originating-IP:|OriginalSenderIP:|X-AOL-IP:) \[?213\.136\.(9[6-9]|1[0-1][0-9]|12[0-7])\.[0-9]+\]?/ REJECT nigerian spam/scam/419 detected
/^(Received: from|X-Originating-IP:|OriginalSenderIP:|X-AOL-IP:) \[?81\.91\.2(2[4-9]|3[0-9])\.[0-9]+\]?/ REJECT nigerian spam/scam/419 detected
/^(Received: from|X-Originating-IP:|OriginalSenderIP:|X-AOL-IP:) \[?41\.[0-9]+\.[0-9]+\.[0-9]+\]?/ REJECT nigerian spam/scam/419 detected
/^(Received: from|X-Originating-IP:|OriginalSenderIP:|X-AOL-IP:) \[?213\.181\.(6[4-9]|[7-8][0-9]|9[0-5])\.[0-9]+\]?/ REJECT nigerian spam/scam/419 detected
/^(Received: from|X-Originating-IP:|OriginalSenderIP:|X-AOL-IP:) \[?87\.255\.(9[6-9]|10[0-7])\.[0-9]+\]?/ REJECT nigerian spam/scam/419 detected
/^(Received: from|X-Originating-IP:|OriginalSenderIP:|X-AOL-IP:) \[?212\.52\.(12[8-9]|1[3-5][0-9])\.[0-9]+\]?/ REJECT nigerian spam/scam/419 detected
/^(Received: from|X-Originating-IP:|OriginalSenderIP:|X-AOL-IP:) \[?83\.229\.([0-9]?[0-9]|1[0-1][0-9]|12[0-7])\.[0-9]+\]?/ REJECT nigerian spam/scam/419 detected
So all you have to do is to modify it the way you want to check field From. Hope this will be helpful.
Sysadmin
- 152
- 5
-
The `header_checks` feature is entirely unfit to enforce a match between envelope and headers *because it does not have access to any envelope data*. You cannot check if two values *match* if you only have access to one. – anx Jun 11 '20 at 10:41
-
I see. Then this solution is only against a scam and for checking attachments only. Pity. – Sysadmin Jun 11 '20 at 12:58