Re: How to enforce 'From:' message header field to match the sasl authenticated username

Sun, 03 Apr 2016 03:12:07 -0700 

On 2016-04-03 04:35, Hamy wrote:

Hi
I am using /smtpd_sender_login_maps/ on submission port to enforce the envelope 'mail from:' command, and its working as expected. the problem however is that the user can still use any arbitrary 'From:' header field that she wants and opendkim will happily sign it. I am looking for a way to enforce the from: header filed to match the sasl authenticated username. ideally this should happen before queuing so i can reject the message while smtp session is still in progress. It is my understanding that /header_checks/ can't be used for this as it's functionality is very limited. 

What are my options? can anyone please help?
Thank you in advance

Best Regards,



A quick search uncovered four options for *smtpd_sender_restrictions* 
which you should check.


*reject_authenticated_sender_login_mismatch*
   Enforces thereject_sender_login_mismatch
   
<http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>restriction
   for authenticated clients only. This feature is available in Postfix
   version 2.1 and later.
*reject_known_sender_login_mismatch*
   Apply thereject_sender_login_mismatch
   
<http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>restriction
   only to MAIL FROM addresses that are known in
   $smtpd_sender_login_maps
   <http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>.
   This feature is available in Postfix version 2.11 and later.
*reject_sender_login_mismatch*
   Reject the request when $smtpd_sender_login_maps
   <http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>specifies
   an owner for the MAIL FROM address, but the client is not (SASL)
   logged in as that MAIL FROM address owner; or when the client is
   (SASL) logged in, but the client login name doesn't own the MAIL
   FROM address according to $smtpd_sender_login_maps
   <http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>.
*reject_unauthenticated_sender_login_mismatch*
   Enforces thereject_sender_login_mismatch
   
<http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>restriction
   for unauthenticated clients only. This feature is available in
   Postfix version 2.1 and later.

BR
Tobias






















					Reply via email to