Postfix: Avoid users impersonating each other at same domain
TCB13 Jan 25th, 2016 161 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- This pastebin is an answer to this question: http://unix.stackexchange.com/questions/257430/postfix-users-impersonating-other-users-at-same-domain.
- The solution for this problem is to:
- 1. Add `reject_sender_login_mismatch` to the end of the `smtpd_sender_restrictions` section;
- 2. In this case, add `smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual_sender-login-maps.cf`. This is the maps used by postfix to make sure the sender login email and `from` field match. In this case it's done on MySQL because `virtual_mailbox_domains` and `virtual_alias_maps` are based on MySQL maps too.
- 3. Create `/etc/postfix/mysql-virtual_sender-login-maps.cf` with the following content:
- user = emailserveruser
- password = sdfjn1234ns
- hosts = 127.0.0.1
- dbname = mailstack
- query = SELECT * FROM (SELECT email FROM `virtual_users` WHERE email = '%s' UNION SELECT destination FROM `virtual_alias` WHERE source = '%s' ) a LIMIT 1
- Note that postfix will give you the `From` email as `%s` and it excepts to receive as result of a query an address that matches the one used on the SMTP autentication. In this case we first query the `virtual_users` table and if nothing is returned from there (meaning there's no real user with that email) we query `virtual_alias` in order to get the `destination` address (a real user mailbox) that matches a potential email alias (our `source` col).
- If there's no match, the query returns nothing, it means that: 1) there's no such user with that email 2) there's no such alias to any user with that email. Postfix then gives the mail client a `Sender address rejected: not owned by user` error.
RAW Paste Data