Hi all: Some popular web/mail hosting providers in Germany have their SMTP servers configured so that anybody with an account x...@example.com can impersonate any sender address like y...@example.com, even though each user has his/her own SMTP password for sending purposes (which is usually the same password as for the IMAP server).
I found that surprising, but it is apparently regarded as normal, and some guys even positively affirm that "it is how SMTP works". Note that I am assuming those providers are using Postfix, one of them does according to the mail headers, but I think at least one uses Exim instead. Postfix is the only one I know a little about, so that is why I am asking here. When I mentioned in a discussion options 'reject_sender_login_mismatch' and 'smtpd_sender_login_maps', the first objection is that such a strict policy would generate a lot of support requests from random users when the SMTP server rejects e-mails due to envelope address mismatches. My suggestion was to make it optional whether a particular SMTP account checks the sender address or not. Just by seeing that option, the admin would be better prepared, although I also think that the eventual error message should be helpful enough. If the e-mail address is the same as the SMTP login (which usually is), then the error message could even mention the wrong and the right e-mail address to configure in your e-mail client. Some other user objected then that in Postfix it is not easy to configure exceptions. At that point, I looked more closely at those configuration options, and they do look pretty strict. Apparently, that particular user runs an ERP system which needs to send e-mails on behalf of any ERP user. I personally find it iffy for a number of reasons that the ERP system can impersonate any user when sending e-mails, but let's assume for a moment that this is desirable, or that the ERP system is not flexible enough, or whatever. So my first question is: Is there a way to configure 'reject_sender_login_mismatch' and/or 'smtpd_sender_login_maps' so that they only apply to some SMTP accounts? The aim here is to designate one or more "superuser" SMTP accounts which are able to skip the 'reject_sender_login_mismatch' / 'smtpd_sender_login_maps' checks, so that they can impersonate any user they like. Failing that, I guess one could run a second Postfix instance without those configuration options, but that is not very admin-friendly. Or is there a different approach? Those configuration options are about the envelope address (the SMTP MAIL FROM address). The Postfix documentation also mentions the "From:" mail header: "Note: to enforce that the From: header address matches the envelope sender (MAIL FROM) address, use an external filter such as a Milter, for the submission or submissions (formerly called smtps) services." I wonder whether Postfix is making this basic antispoofing feature too hard for basic/economic mail hosters to implement. I am thinking of some new, easy configuration option which rejects, or automatically replaces, the "From:" mail header without resorting to external filtering tools or to a full scripting language. Or may be there is some ready-to-use script which automatically replaces both the envelope address and the "From:" header to match the ones associated with the SMTP account, but only for those SMTP accounts listed in some configuration file? This way, not every hoster must implement it all from scratch. Thanks in advance, rdiez _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
