On 05/01/2024 19:44, Taco de Wolff via Postfix-users wrote:
Hi,
I'm trying to understand how the reject_unlisted_sender option works
in the smtpd_sender_restrictions option. This is what I understand it
to do:
For any received mail (it is an smtpd option after all), either for
receiving mail from an external server or for sending mail from a
logged in user with SASL, it checks whether the sender domain
(envelope FROM) is a valid recipient address (ie. in my case the
domain exists in the virtual_mailbox_domains) for this server, and if
it is not it will reject.
When testing however, it was accepting mail from an external server
(gmail) to be delivered to an existing mailbox, but the sender domain
was x...@gmail.com which is not a listed sender for my server
obviously! Why are these mails not rejected? I don't want them to be
rejected, but it is what I understood reject_unlisted_sender to do.
My goal is to prevent spoofing of the envelope FROM (since we can't
control the header FROM from Postfix) for outgoing mail, I do this by
setting smtpd_sender_login_maps and adding
reject_sender_login_mismatch to the smtpd_sender_restrictions. This
works perfectly for SASL authenticated users by forcing the envelope
FROM to be the same as the login username (u...@domain.com), and I
think the reject_unlisted_sender option would be redundant in this
case. However, mail delivered locally (sendmail from system or from
PHP) is not checked by the smtpd options, and I need a way to force
the envelope sender for certain system users to
nore...@primary-domain-of-user.com so that a PHP application can't
spoof the envelope FROM when using sendmail. I use `sendmail -f
nore...@primary-domain-of-user.com --` as the PHP sendmail_path, but
I'd like to force this in Postfix for security.
Regarding spoofing of the header FROM, if they use a different domain
name than their envelope FROM (whether it is a permitted sender for
the server or not), the destination server will likely reject it due
to invalid DKIM. This is something I'll take up with the milter
(rspamd) that does the DKIM signing, to reject any mail that it cannot
DKIM sign. It will be possible to use a different local part:
int...@example.com could impersonate himself as ad...@example.com (not
sure if that is something I want to fix).
Kind regards,
Taco de Wolff
_______________________________________________
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org
Hi Taco
you might find the address class readme useful in this context
https://www.postfix.org/ADDRESS_CLASS_README.html#classes.
A reject_unlisted_recipient that worked as you are suggesting, that can
reject x...@gmail.com, would not be useful since your server cannot have
the list of potentially valid senders for domains that are not managed
by your server. Such addresses are in the "default domain class" which
does not have any "valid recipient" table.
The thing to note about reject_unlisted_sender is that it rejects the
senders that would be rejected as recipients by
reject_unlisted_recipient. i.e. it rejects senders that would not be
valid recipients on your server.
So if address aaa@yourdomain does not exist on your server
reject_unlisted_sender would reject it. If address bbb@yourdomain does
exist reject_unlisted_sender would not reject it.
So if you are aiming to prevent forgeries ariving via smtp at port 25
then reject_unlisted_sender will do this for a subset (those that are
not valid addresses for your server). If you want to prevent all
forgeries, you'd need to set up a sender access table with e REJECT
action for your domain(s), and obviously not apply that to submission.
However that could break some legitimate use cases, such as mail forwarding.
As for adding security to php use of sendmail, sendmail does not enforce
the kind of controls you want. If you are concerned about forgeries from
php then it is best to disable the use of sendmail from php or
substitute the php sendmail setting with something custom that peforms
the controls you want before invoking sendmail.
If you disable sendmail from php that way people will have to
authenticate to your submission service from php to send emails.
John
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
