0

How do I prevent my (authenticated) users from sending email messages with either incorrect or outright falsified email FROM addresses?

My mail service is postfix and I have already set sender and recipient restriction such as reject_unlisted account or reject non fqdn domains or hostname but that hasn't worked!

How could I fix this problem in my enterprise mail services?

    readme_directory = /usr/share/doc/postfix-2.11.5/README_FILES
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
mynetworks = , hash:/var/spool/postfix/plesk-pop/poplock
smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unauthenticated_sender_login_mismatch,reject_known_sender_login_mismatch,hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access, pcre:/var/spool/postfix/plesk/non_auth.re, check_sender_access hash:/var/spool/postfix/plesk/blacklists
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_relay_restrictions =permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination, reject_unlisted_sender
smtpd_recipient_restrictions = reject_unknown_sender_domain,reject_non_fqdn_sender,permit_mynetworks,permit_sasl_authenticated, reject_unauth_destination, reject_unauth_destination, defer_unauth_destination,reject_unverified_recipient,reject_unknown_recipient_domain
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
non_smtpd_milters =
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
mailbox_size_limit = 0
virtual_mailbox_limit = 0
myhostname = host.com
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = HIGH:!aNULL:!MD5
message_size_limit = 102400000
smtpd_sasl_authenticated_header = yes
disable_vrfy_command = yes
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = no
smtpd_sasl_security_options = noanonymous
HBruijn
  • 72,524
  • 21
  • 127
  • 192
alireza m
  • 13
  • 1
  • 7

1 Answers1

4

When I format the smtpd_sender_restrictions so it becomes a little more readable:

smtpd_sender_restrictions = reject_unknown_sender_domain, 
                            reject_unauthenticated_sender_login_mismatch, 
                            reject_known_sender_login_mismatch, 
                            hash:/var/spool/postfix/plesk/blacklists, 
                            permit_sasl_authenticated, 
                            check_client_access, 
                            pcre:/var/spool/postfix/plesk/non_auth.re, 
                            check_sender_access  hash:/var/spool/postfix/plesk/blacklists

You see reject_unauthenticated_sender_login_mismatch option. That setting only enforces the reject_sender_login_mismatch restriction (to enforce that the authenticated sender is using a specific MAIL FROM address) but only for unauthenticated clients. When you're authenticating you still can use whatever FROM address you want.

For authenticated clients the next option becomes relevant: reject_known_sender_login_mismatch
That option applies the reject_sender_login_mismatch but only to addresses that are known in the smtpd_sender_login_maps.

Your configuration does not mention a smtpd_sender_login_maps so effectively that restriction is not applied to any user/email address.

Solution, to have the reject_sender_login_mismatch applied to enforce that the authenticated sender is using a specific MAIL FROM address you will need to set up the smtpd_sender_login_maps with the SASL login names that own the sender (MAIL FROM) addresses, for all users and email addresses that are in use.

Check out this Q&A for more .

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • Hbrujin, first ask for editing question for better quality, secound, it's soo amazing! when i add smtpd_sender_login_maps = hash:/var/spool/postfix/plesk/virtual and add reject_sender_login_mismatch in smtpd_sender_restrication then i can send every fake emails expect valid with valid email address!!! – alireza m Jun 15 '16 at 18:11
  • There is no prior approval required (for established users and moderators) before edits are applied, but you can roll-back [edits on your questions](http://serverfault.com/posts/784131/revisions) and answers that you don't like. See http://serverfault.com/help/editing – HBruijn Jun 15 '16 at 18:30
  • sorry, not "ask" just "thanks" its a bad sentence. sorry – alireza m Jun 15 '16 at 18:32
  • `hash:/var/spool/postfix/plesk/virtual` is probably an existing map which is not suitable for the purpose of `smtpd_sender_login_maps` Check the Q&A I linked to... – HBruijn Jun 15 '16 at 18:33
  • hi again, is there any works to do when create a pcre file? i added a regex like : /^(.*)@mydomain.com$/ ${1} but logs told me : fatal: open dictionary: expecting "type:name" form instead of "/etc/postfix/login_maps.pcre – alireza m Jun 16 '16 at 03:24