18

I have set up a Postfix server with SMTP AUTH (STARTTLS on port 587). All my users are in the domain "example.org". I want to enforce the sender address to be "logged-in-user@example.org".

I learned that this can be achieved with the main.cf options

smtpd_sender_restrictions = reject_sender_login_mismatch, ...
smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_maps

with a login_maps file like:

a@example.org a
b@example.org b
c@example.org c
...

(see also Block sender address spoofing with SMPT AUTH), but this would mean I'll have to edit the login_maps file every time I have a new user. I don't need such a flexible mapping: It should always be "logged-in-user@example.org". Is there an easier option?

EEAA
  • 108,414
  • 18
  • 172
  • 242
Chris Lercher
  • 3,982
  • 9
  • 34
  • 41

3 Answers3

16

First, check whether your installation of Postfix supports pcre by entering the command postconf -m and looking for a line with pcre in it. Once you have verified that you have pcre support, you can do as follows:

/etc/postfix/login_maps.pcre:

/^(.*)@example\.org$/   ${1}

In main.cf:

smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre

This should work fine.

mailq
  • 16,882
  • 2
  • 36
  • 66
  • This is perfect. Exactly what I was looking for! – Chris Lercher Oct 04 '11 at 18:56
  • 3
    For Ubuntu users, you can get postfix pcre with `sudo apt-get install postfix-pcre`. Maybe this was obvious to most. – NeilMonday Mar 01 '16 at 02:48
  • No way to omit the domain in the regex or reference `$myhostname` variable?. [Here](http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps) you can see that Postfix is capable to search the lookup table by the user part of the email... – Jaime Hablutzel Jan 14 '18 at 04:17
  • I believe you'll want to backslash-escape the '.' character in the domain name so it is interpreted as a literal match: /^(.*)@example\.org$/ – Arnon Apr 05 '18 at 17:42
  • Otherwise, this matches "test@exampleXorg" as well as "test@example.org", which may not be exactly the intended behavior. – Arnon Apr 05 '18 at 18:11
9

The regex mentioned in the other answer matches the user part of the email address (logged-in-user@example.org). Here is some additional information.

To use the full email address as username, use the following regex (for example in /etc/postfix/login_map):

/^(.*)$/   ${1}

This means that your username is always your full email address (logged-in-user@example.org) - no other existing username is allowed to send from that address - and you don't have to update an additional Postfix config file everytime you add a user.

This might be used on a server that has multiple domains configured. User john.doe@example.com is only allowed to send from that address but not from john.doe@example.org (different user and email, different person). The username john.doe would be ambiguous in this case.

Also, depending on your configuration, the smtpd_sender_login_maps setting, which has to point to this file, may be in the master.cf (instead of main.cf). The official Dovecot documentation has the following example (if you're using SASL/submission):

submission inet n - n - - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

In this example, the setting should be adjusted to point to the right file and use regex or (better) pcre as type. Especially if a file called "virtual" is already used for another purpose (for example for virtual_alias_maps, as shown in an official Postfix example), another file should be used for the login mapping.

From:

smtpd_sender_login_maps=hash:/etc/postfix/virtual

To:

smtpd_sender_login_maps=pcre:/etc/postfix/login_map
c0xc
  • 191
  • 1
  • 2
0

Can you use combination of regexp on the header as shown here: http://www.akadia.com/services/postfix_uce.html? Then you can combine with regexp like [*@example.org] to ensure only sender from example.org.

sonstabo
  • 31
  • 1
  • 9