daily pastebin goal
30%
SHARE
TWEET

Postfix: Avoid users impersonating each other at same domain

TCB13 Jan 25th, 2016 152 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. This pastebin is an answer to this question: http://unix.stackexchange.com/questions/257430/postfix-users-impersonating-other-users-at-same-domain.
  2. ------------------
  3.  
  4. The solution for this problem is to:
  5.  
  6. 1. Add `reject_sender_login_mismatch` to the end of the `smtpd_sender_restrictions` section;
  7. 2. In this case, add `smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual_sender-login-maps.cf`. This is the maps used by postfix to make sure the sender login email and `from` field match. In this case it's done on MySQL because `virtual_mailbox_domains` and `virtual_alias_maps` are based on MySQL maps too.
  8. 3. Create `/etc/postfix/mysql-virtual_sender-login-maps.cf` with the following content:
  9. ```````
  10. user = emailserveruser
  11. password = sdfjn1234ns
  12. hosts = 127.0.0.1
  13. dbname = mailstack
  14. query = SELECT * FROM (SELECT email FROM `virtual_users` WHERE email = '%s' UNION SELECT destination FROM `virtual_alias` WHERE source = '%s' ) a LIMIT 1
  15. ```````
  16.  
  17. Note that postfix will give you the `From` email as `%s` and it excepts to receive as result of a query an address that matches the one used on the SMTP autentication. In this case we first query the `virtual_users` table and if nothing is returned from there (meaning there's no real user with that email) we query `virtual_alias` in order to get the `destination` address (a real user mailbox) that matches a potential email alias (our `source` col).
  18. If there's no match, the query returns nothing, it means that: 1) there's no such user with that email 2) there's no such alias to any user with that email. Postfix then gives the mail client a `Sender address rejected: not owned by user` error.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand