Postfix: Avoid users impersonating each other at same domain

TCB13 Jan 25th, 2016 161 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. This pastebin is an answer to this question:
  2. ------------------
  4. The solution for this problem is to:
  6. 1. Add `reject_sender_login_mismatch` to the end of the `smtpd_sender_restrictions` section;
  7. 2. In this case, add `smtpd_sender_login_maps = mysql:/etc/postfix/`. This is the maps used by postfix to make sure the sender login email and `from` field match. In this case it's done on MySQL because `virtual_mailbox_domains` and `virtual_alias_maps` are based on MySQL maps too.
  8. 3. Create `/etc/postfix/` with the following content:
  9. ```````
  10. user = emailserveruser
  11. password = sdfjn1234ns
  12. hosts =
  13. dbname = mailstack
  14. query = SELECT * FROM (SELECT email FROM `virtual_users` WHERE email = '%s' UNION SELECT destination FROM `virtual_alias` WHERE source = '%s' ) a LIMIT 1
  15. ```````
  17. Note that postfix will give you the `From` email as `%s` and it excepts to receive as result of a query an address that matches the one used on the SMTP autentication. In this case we first query the `virtual_users` table and if nothing is returned from there (meaning there's no real user with that email) we query `virtual_alias` in order to get the `destination` address (a real user mailbox) that matches a potential email alias (our `source` col).
  18. If there's no match, the query returns nothing, it means that: 1) there's no such user with that email 2) there's no such alias to any user with that email. Postfix then gives the mail client a `Sender address rejected: not owned by user` error.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand