5

I am managing a mail server. The mail server is running with multiple domains configured. The problem is authenticated user can use any sender email ID and I need to prevent it. How can I do that?

Example: a sender with email anything@example.com is sending mail with sender email address as anything@yahoo.com

I need to prevent that.

user9517
  • 114,104
  • 20
  • 206
  • 289
Sourav
  • 61
  • 3
  • In your example, are both example.com and yahoo.com domains configured for your mail server? Are you talking about the envelope sender or the From: header in the message itself? – Marie Fischer Nov 12 '11 at 15:27

2 Answers2

2

You do this with the configuration option smtpd_sender_login_maps.

It requires the user has SASL authenticated.

smtpd_sender_login_maps (default: empty)

Optional lookup table with the SASL login names that own sender
(MAIL FROM) addresses.

Specify zero or more "type:table" lookup tables. With lookups
from indexed files such as DB or DBM, or from networked tables 
such as NIS, LDAP or SQL, the following search operations
are done with a sender address of user@domain:

1) user@domain
    This table lookup is always done and has the highest precedence. 
2) user
    This table lookup is done only when the domain part of 
    the sender address matches $myorigin, $mydestination, 
    $inet_interfaces or $proxy_interfaces. 
3) @domain
    This table lookup is done last and has the lowest precedence. 

In all cases the result of table lookup must be either 
"not found" or a list of SASL login names separated by 
comma and/or whitespace.

Then you add a configuration option along with the above to the smtpd_sender_restrictions optoin such as;

smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
chicks
  • 3,639
  • 10
  • 26
  • 36
Matthew Ife
  • 22,927
  • 2
  • 54
  • 71
  • 1
    Where do i specify the sender addresses? Or it is set automatically? – Sourav Nov 12 '11 at 16:44
  • Its added as a comma seperated list against the sasl username mappings. – Matthew Ife Nov 12 '11 at 16:53
  • Hi Mlfe, i am extremely sorry but i am newbie and this is getting hard for me. If you mention step by step to do that i can learn this wonderful solution. – Sourav Nov 12 '11 at 18:46
  • Finally i got this. Here is the solution: http://serverfault.com/questions/318334/how-to-enforce-sender-address-to-be-logged-in-userexample-org-in-postfix – Sourav Nov 12 '11 at 19:21
1

This works with Postfix 2.1+ If not, reject_sender_login_mismatch

smtpd_sender_restrictions = reject_sender_login_mismatch

According to postfix documentation
reject_authenticated_sender_login_mismatch enforces reject_sender_login_mismatch

reject_sender_login_mismatch: Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.

Caglar Ulkuderner
  • 11
  • 1