I am trying to set up a postfix configuration where (virtual) users are allowed to only send with "From:"-addresses they own. So I put reject_authenticated_sender_login_mismatch
into smtpd_sender_restrictions
.
Using
query = SELECT goto FROM alias WHERE address='%s' and active=1;
in my sender_login_maps.cf
I can send mails with any sender address I want, even something like madeup@not_my_domain.com
.
However,
postmap -q "madeup@not_my_domain.com" mysql:/etc/postfix/sql/sender_login_maps.cf
returns nothing as expected.
Now if I change the query to
SELECT goto FROM alias WHERE address='notinthedatabaseforsure' and active=1;
I am not able to send any mails at all. So far so good. But the log says
postfix/smtps/smtpd[11683]: NOQUEUE: reject: RCPT from...: 553 5.7.1 <user@domain.com>:
Sender address rejected: not owned by user user@domain.com; from=<user@domain.com> to=<user2@domain.com> proto=ESMTP helo=<[192.168.2.103]>
even if I try to send from madeup@not_my_domain.com
. user@domain.com
is the login name, user2@domain.com
the recipient.
In a proper setup i would expect something like
postfix/smtps/smtpd[11683]: NOQUEUE: reject: RCPT from ...: 553 5.7.1 <madeup@not_my_domain.com>:
Sender address rejected: not owned by user user@domain.com; from=<madeup@not_my_domain.com> to=<user2@domain.com> proto=ESMTP helo=<[192.168.2.103]>
So it looks like postfix uses the login name to search for the login name regardless of the sender address, which explains why I can send with any sender address using the query I mentioned first.
Update: I checked my sql logs and indeed, the MySQL server never sees madeup@not_my_domain.com
. It only gets queries for the login address and the recipient address user2@domain.com
.
Here are the smtps part from master.cf and my main.cf:
smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o tls_preempt_cipherlist=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot -o smtpd_sasl_security_options=noanonymous -o smtpd_relay_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o cleanup_service_name=submission-header-cleanup
mynetworks = 127.0.0.0/8 inet_interfaces = all mydomain = domain.com myhostname = mail.domain.com myorigin = $mydomain mydestination = relayhost = smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_data_restrictions = reject_unauth_pipelining smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access postscreen_blacklist_action = drop postscreen_greet_action = drop postscreen_dnsbl_threshold = 2 postscreen_dnsbl_sites = dnsbl.sorbs.net*1, bl.spamcop.net*1, ix.dnsbl.manitu.net*2, zen.spamhaus.org*2 postscreen_dnsbl_action = drop virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf relay_domains = mysql:/etc/postfix/sql/relay_domains.cf smtpd_sender_login_maps = mysql:/etc/postfix/sql/sender_login_maps.cf virtual_uid_maps = static:3000 virtual_gid_maps = static:3000 virtual_mailbox_base = /home/vmail # Disable NIS lookup warning alias_maps=hash:/etc/aliases append_dot_mydomain = no recipient_delimiter = +
Best Answer
If a user with a login name
user@example.com
may only send asuser@example.com
you should usereject_sender_login_mismatch
beforepermit_sasl_authenticated
This option includes functionality of both
reject_authenticated_sender_login_mismatch
andreject_unauthenticated_sender_login_mismatch
.Moreover, check that your SQL query for a user returns his email (AKA login) for which postfix will run tests. If it just returns
1
or other "true" value it may not work as expected.