4

I am trying to set up a postfix configuration where (virtual) users are allowed to only send with "From:"-addresses they own. So I put reject_authenticated_sender_login_mismatch into smtpd_sender_restrictions.

Using 

query = SELECT goto FROM alias WHERE address='%s' and active=1;

in my sender_login_maps.cf I can send mails with any sender address I want, even something like madeup@not_my_domain.com.

However, 

postmap -q "madeup@not_my_domain.com" mysql:/etc/postfix/sql/sender_login_maps.cf

returns nothing as expected.

Now if I change the query to 

SELECT goto FROM alias WHERE address='notinthedatabaseforsure' and active=1;

I am not able to send any mails at all. So far so good. But the log says

postfix/smtps/smtpd[11683]: NOQUEUE: reject: RCPT from...: 553 5.7.1 <user@domain.com>: 
  Sender address rejected: not owned by user user@domain.com; from=<user@domain.com> to=<user2@domain.com> proto=ESMTP helo=<[192.168.2.103]>

even if I try to send from madeup@not_my_domain.com. user@domain.com is the login name, user2@domain.com the recipient.

In a proper setup i would expect something like

postfix/smtps/smtpd[11683]: NOQUEUE: reject: RCPT from ...: 553 5.7.1 <madeup@not_my_domain.com>: 
  Sender address rejected: not owned by user user@domain.com; from=<madeup@not_my_domain.com> to=<user2@domain.com> proto=ESMTP helo=<[192.168.2.103]>

So it looks like postfix uses the login name to search for the login name regardless of the sender address, which explains why I can send with any sender address using the query I mentioned first.

Update: I checked my sql logs and indeed, the MySQL server never sees madeup@not_my_domain.com. It only gets queries for the login address and the recipient address user2@domain.com.

Here are the smtps part from master.cf and my main.cf:

smtps inet n - - - - smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o tls_preempt_cipherlist=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_relay_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o cleanup_service_name=submission-header-cleanup

mynetworks = 127.0.0.0/8
inet_interfaces = all
mydomain = domain.com
myhostname = mail.domain.com
myorigin = $mydomain
mydestination =
relayhost =


smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient

smtpd_recipient_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_hostname,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unauth_destination,
 reject_unauth_pipelining,
 reject_invalid_hostname

smtpd_sender_restrictions =
 reject_non_fqdn_sender,
 reject_unknown_sender_domain,
 reject_unauth_pipelining,
 reject_authenticated_sender_login_mismatch,
 permit_sasl_authenticated

smtpd_helo_required = yes
smtpd_helo_restrictions =   permit_mynetworks
                            reject_invalid_helo_hostname
                            reject_non_fqdn_helo_hostname
                            reject_unknown_helo_hostname

smtpd_data_restrictions = reject_unauth_pipelining

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

postscreen_access_list =        permit_mynetworks
                                cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
postscreen_greet_action = drop

postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = dnsbl.sorbs.net*1, bl.spamcop.net*1, ix.dnsbl.manitu.net*2, zen.spamhaus.org*2
postscreen_dnsbl_action = drop

virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
relay_domains = mysql:/etc/postfix/sql/relay_domains.cf
smtpd_sender_login_maps = mysql:/etc/postfix/sql/sender_login_maps.cf


virtual_uid_maps = static:3000
virtual_gid_maps = static:3000
virtual_mailbox_base = /home/vmail

# Disable NIS lookup warning
alias_maps=hash:/etc/aliases

append_dot_mydomain = no
recipient_delimiter = +
sanmai
  • 1,426
staxyz
  • 609

2 Answers2

0

If a user with a login name user@example.com may only send as user@example.com you should use reject_sender_login_mismatch before permit_sasl_authenticated

smtpd_sender_restrictions = 
    # ... skip ...
    reject_sender_login_mismatch
    permit_sasl_authenticated

This option includes functionality of both reject_authenticated_sender_login_mismatch and reject_unauthenticated_sender_login_mismatch.

Moreover, check that your SQL query for a user returns his email (AKA login) for which postfix will run tests. If it just returns 1 or other "true" value it may not work as expected.

sanmai
  • 1,426
  • My SQL query does return the login name. Using reject_sender_login_mismatch in smtpd_recipient_restrictions does not work, too. Why would I have to put it in smtpd_recipient_restriction and not smtpd_sender_restrictions, anyway? – staxyz Dec 15 '16 at 17:53
  • If you use email everywhere, your login name must be an email too. – sanmai Dec 16 '16 at 00:36
  • You're right with smtpd_sender_restrictions – sanmai Dec 16 '16 at 00:36
  • As you can see in my question, my login names are email addresses and I already had reject_authenticated_sender_login_mismatch in smtpd_sender_restrictions. I tried reject_sender_login_mismatch before but without success, too. Besides, only authenticated users are allowed to send mails anyway so using one or the other should not make a difference. – staxyz Dec 16 '16 at 16:01
0

The solution is to put the reject_authenticated_sender_login_mismatch in the smtpd_client_restrictions field.

PS: Please note that smtpd_client_restrictions is different from smtpd_sender_restrictions.

Roman Riabenko
  • 2,286
Fülöp Zsolt
  • 1