Postfix matches SASL username and not the FROM mail field with smtpd_sender_login_maps

Question

I have already read hundreds of posts all over the internet and I couldn't find anything that solves my problem. So I decided to write this post and hope somebody can help me. First I want to apologize for my bad English I hope you understand what I mean, if not don't bother to ask questions back.

Problem:

I have a problem with limiting sasl authenticated users to send mails just from the postfix configuration. I know that this can be accomplished by using the "reject_sender_login_mismatch" and "smtpd_sender_login_maps" tags in the postfix main.cf.

But the Problem seams that postfix does not matches the FROM mail field against the smtpd_sender_login_maps instead it matches the sasl username (in my case also a email address). Its clear that this condition is always true because the sasl username exists don't mater what really is written in the FROM field.

I noticed this when I turned on debugging (debug_peer_list = client ip) and send a mail from the spoofed address any_other@any_other.xy with Thunderbird to recipient@domain.xy. I don't see the real FROM field in the mail.log instead the sasl login (sasl_user@domain.xy) is interpreted as FROM address.

Extract form /var/log/mail.log:

....
postfix/smtps/smtpd[3525]: watchdog_pat: 0xXXXXXXXXX
postfix/smtps/smtpd[3525]: < unknown[XXXXXXXXX]: AUTH PLAIN XXXXXXXXX
postfix/smtps/smtpd[3525]: query milter states for other event
postfix/smtps/smtpd[3525]: milter8_other_event: milter local:/opendkim/opendkim.sock
postfix/smtps/smtpd[3525]: xsasl_dovecot_server_first: sasl_method PLAIN, init_response XXXXXXXXX
postfix/smtps/smtpd[3525]: xsasl_dovecot_handle_reply: auth reply: OK?1?user=sasl_user@domain.xy?
postfix/smtps/smtpd[3525]: > unknown[XXXXXXXXX]: 235 2.7.0 Authentication successful
postfix/smtps/smtpd[3525]: watchdog_pat: 0xXXXXXXXXX
postfix/smtps/smtpd[3525]: < unknown[XXXXXXXXX]: MAIL FROM:<sasl_user@domain.xy> BODY=8BITMIME SIZE=443
postfix/smtps/smtpd[3525]: extract_addr: input: <sasl_user@domain.xy>
postfix/smtps/smtpd[3525]: smtpd_check_addr: addr=sasl_user@domain.xy
postfix/smtps/smtpd[3525]: connect to subsystem private/rewrite
postfix/smtps/smtpd[3525]: send attr request = rewrite
postfix/smtps/smtpd[3525]: send attr rule = local
postfix/smtps/smtpd[3525]: send attr address = ""
....

When I grep over the syslog and mail.log for the real FROM address don't find anything to:

root@XXXXXX:/etc/postfix# cat /var/log/syslog /var/log/mail.log  |grep -i any_other@any_other.xy

Configurations:

root@XXXXXX:/etc/postfix# postconf -n

alias_database = hash:/etc/aliases
alias_maps =
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 3h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_transport = error:Local Transport Disabled
luser_relay = webmaster@XXXXXX
mailbox_size_limit = 0
message_size_limit = 20480000
milter_default_action = accept
milter_protocol = 6
mydestination = XXXXXX, localhost, localhost.localdomain, localhost, autoreply.XXXXXX
mydomain = XXXXXX
myhostname = XXXXXX
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 XXXXXX/24
myorigin = /etc/mailname
non_smtpd_milters = local:/opendkim/opendkim.sock
policyd-spf_time_limit = 3600
postscreen_greet_action = enforce
readme_directory = no
recipient_delimiter = +
relayhost =
smtpd_banner = $myhostname ESMTP XXXXXX (Linux)
smtpd_client_new_tls_session_rate_limit = 10
smtpd_client_restrictions = check_client_access cidr:/etc/postfix/drop.cidr
smtpd_data_restrictions = reject_multi_recipient_bounce
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_milters = local:/opendkim/opendkim.sock
smtpd_recipient_restrictions = reject_sender_login_mismatch permit_mynetworks reject_unknown_recipient_domain check_policy_service inet:127.0.0.1:12340 reject_unauth_destination check_policy_service unix:private/policyd-spf permit_sasl_authenticated check_sender_ns_access cidr:/etc/postfix/drop.cidr check_sender_mx_access cidr:/etc/postfix/drop.cidr check_policy_service inet:127.0.0.1:10023 reject_rbl_client ix.dnsbl.manitu.net reject_rbl_client bl.spamcop.net reject_rbl_client pbl.spamhaus.org reject_rbl_client xbl.spamhaus.org reject_rbl_client zen.spamhaus.org reject_rbl_client sbl.spamhaus.org reject_rbl_client b.barracudacentral.org reject_rbl_client bl.spamcannibal.org permit
smtpd_reject_footer = For assistance, write webmaster@XXXXXX. Please provide the following information in your problem report: time ($localtime), client ($client_address) client Port ($client_port) and server ($server_name).
smtpd_relay_restrictions = reject_non_fqdn_recipient reject_authenticated_sender_login_mismatch reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated check_sender_ns_access cidr:/etc/postfix/drop.cidr check_sender_mx_access cidr:/etc/postfix/drop.cidr check_policy_service inet:127.0.0.1:10023 reject_rbl_client ix.dnsbl.manitu.net reject_unauth_destination permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = ldap:/etc/postfix/ldap_user_maps.cf
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, reject_authenticated_sender_login_mismatch, reject_unlisted_sender, reject_unauth_pipelining,
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/sslcert/server.crt
smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh_1024.pem
smtpd_tls_dh512_param_file = ${config_directory}/certs/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_key_file = /etc/postfix/sslcert/server.key
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_session_cache
smtpd_use_tls = yes
soft_bounce = yes
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transports
virtual_alias_maps = ldap:/etc/postfix/ldap_virtual_alias_maps-vacation.cf ldap:/etc/postfix/ldap-virtual_alias_maps-forward.cf proxy:ldap:/etc/postfix/ldap_virtual_aliases.cf ldap:/etc/postfix/ldap_virtual_mail_distribution.cf ldap:/etc/postfix/ldap_virtual_mail_redirect.cf
virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap_virtual_recipients.cf
virtual_transport = dovecot

cat /etc/postfix/master.cf

...
...
smtp      inet  n       -       -       -       -       smtpd 
  -o smtpd_tls_security_level=may
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_security_level=encrypt
smtps     inet  n       -       -       -       -       smtpd 
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_security_level=encrypt
...

cat /etc/postfix/ldap_user_maps.cf

bind = yes
bind_dn = xxxx
bind_pw = xxxx
server_host = ldaps://domain.xy:636
search_base = dc=xxxx,dc=xxxx
query_filter = (&(mail=%s))
result_attribute = mail, uid, AlternateAddress

Sourcode from the spoofed mail

Return-Path: <sasl_user@domain.xy>
X-Original-To: recipient@domain.xy
Delivered-To: recipient@domain.xy
Received: from localhost (XXXXXXXXXXXXXXX [127.0.0.1])
    by XXXXXXXXXXXXXXX (Postfix) with ESMTP id XXXXXXXXXXXXXXX
    for <recipient@domain.xy>; Thu, 10 Aug 2017 20:15:39 +0000 (UTC)
Received: from XXXXXXXXXXXXXXX ([127.0.0.1])
    by localhost (XXXXXXXXXXXXXXX [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id XXXXXX-XXXXXX for <recipient@domain.xy>;
    Thu, 10 Aug 2017 20:15:39 +0000 (UTC)
Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=XXXXXXXXXXXXXXX; helo=[XXXXXXXXXXXXXXX]; envelope-from=sasl_user@domain.xy; receiver=<UNKNOWN> 
Received: from [XXXXXXXXXXXXXXX] (unknown [XXXXXXXXXXXXXXX])
    (Authenticated sender: sasl_user@domain.xy)
    by XXXXXXXXXXXXXXX (Postfix) with ESMTPSA id XXXXXXXX
    for <recipient@domain.xy>; Thu, 10 Aug 2017 20:15:38 +0000 (UTC)
To: Recipient <recipient@domain.xy>
From: Any other user <any_other@any_other.xy>
Subject: sdfsdf
Message-ID: <6xxx5ab6-7x1c-4x3b-55x6-ab8ba3xxxx1@XXXXXXXXXXXXXXX>
Date: Thu, 10 Aug 2017 22:15:36 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:51.2) Gecko/20100101
 Thunderbird/51.8.16
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US

If you need more information don't bother asking. Thanks for your help

Answer 1

there's a difference between the header field From: and the MAIL FROM: command.

as you can see in your example from the header field Return-Path: it was sent from <sasl_user@domain.xy>, which postfix checked for.

while it may be possible to have postfix check if the From: field corresponds to MAIL FROM: - it may not always be favourable (cf. Legitimate reasons SMTP “MAIL FROM:” will not match “From:” Header in DATA).

also in order to ensure authenticity it is probably better to have your users use mail encryption/signing via S/MIME or OpenPGP. (cf. https://technet.microsoft.com/en-us/library/aa995740(v=exchg.65).aspx)