Create a file containing the following (where yourdomain.com is the domain your authenticated users send from): yourdomain.com: permit_sasl_authenticated, reject
postmap the file.
Then use:
smtpd_recipient_restrictions =
...
check_sender_access hash:/path/to/file
...
Note that permit_sasl_authenticated is removed from the recipient
restrictions, because that is handled by check_sender_access.
This will give two-fold security:
Anyone that is authenticated, MUST use your domain to take advantage of
authentication. Eg, if they send a mail from lets say
some...@someotherdomain.com it will be "relay rejected" even if they
authenticate.
Also, the second "reject" in the map file, will force-reject anyone that
attempts to use "yourdomain.com" as sender without authentication, causes
everyone who tries to send a mail with your domain as sender, into a local
mailbox, example:
MAIL FROM: ad...@yourdomain.com
RCPT TO: vic...@yourdomain.com
That sender will then be rejected with the reason that the sender address is
invalid, UNLESS they authenticate before.
-----Ursprungligt meddelande-----
Från: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] För Pascal Maes
Skickat: den 10 mars 2016 14:54
Till: postfix-users@postfix.org
Ämne: MAIL FROM validiity
Hello,
>From time to time, one of our users is caught by a phishing attempt.
His account is then used to send spam and generally the MAIL FROM does not
match one of our addresses.
I found this to test the validity of the MAIL FROM
/etc/postfix/main.cf :
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
smtpd_recipient_restrictions =
...
reject_sender_login_mismatch
permit_sasl_authenticated
...
with /etc/postfix/controlled_envelope_senders (in our case)
email uid
but that will not be easy to implement here; for example, some addresses are
used by a few people and we don't always know that.
Would it be possible to test only the existence of the MAIL FROM ?
Regards,
--
Pascal
smime.p7s
Description: S/MIME Cryptographic Signature
