R. Diez via Postfix-users:
> So my first question is: Is there a way to configure
> 'reject_sender_login_mismatch' and/or 'smtpd_sender_login_maps'
> so that they only apply to some SMTP accounts? The aim here is to
> designate one or more "superuser" SMTP accounts which are able to
> skip the 'reject_sender_login_mismatch' / 'smtpd_sender_login_maps'
> checks, so that they can impersonate any user they like.
/etc/postfix/main.cf:
smtpd_sender_login_maps =
unionmap:{hash:/etc/postfix/sender_logins.cf,
pcre:/etc/postfix/sender_logins.pcre}
/etc/postfix/sender_logins:
# Match specific accounts.
[email protected] bob
[email protected] alice
/etc/postfix/sender_logins.pcre:
# Match any account.
/./ super-admin1, super-admin2
If you don't want to allow the super-admins to impersonate bob and
alice, then you need to remove the unionmap:{ } encapsulation above.
> Those configuration options are about the envelope address (the
> SMTP MAIL FROM address). The Postfix documentation also mentions
> the "From:" mail header:
>
> "Note: to enforce that the From: header address matches the envelope
> sender (MAIL FROM) address, use an external filter such as a Milter,
> for the submission or submissions (formerly called smtps) services."
And it mentions with https://github.com/magcks/milterfrom.
> I wonder whether Postfix is making this basic antispoofing feature
> too hard for basic/economic mail hosters to implement. I am thinking
> of some new, easy configuration option which rejects, or automatically
> replaces, the "From:" mail header without resorting to external
> filtering tools or to a full scripting language.
>
> Or may be there is some ready-to-use script which automatically
> replaces both the envelope address and the "From:" header to match
> the ones associated with the SMTP account, but only for those SMTP
> accounts listed in some configuration file? This way, not every
> hoster must implement it all from scratch.
Postfix is not making it too hard. There is no deliberate effort
to sabotage users. Postfix just does not have support built-in to
make this particular thing "easy".
This actually involves multiple features: 1) overriding envelope.from
with a mapping from sasl.login or unix.login; 2) overriding header.from
with envelope.from, presumably with a yes/no filter. It's not limited
to SMTP: there also is a policy for submissions with the Postfix
sendmail command-line tool.
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
