Ah yes, you're right.
I have yet to find any obvious way directly in Postfix to either force
the From: header to be rewritten to MAIL FROM envelope, or to check this
same header against the envelope or authenticated username.
I had some ideas of possibly using cleanup, trivial-rewrite, canonical,
but I've yet to find a way to make it work. If there's some generic
Milter around that can run simple scripts that could work to bounce. Or
for rewrite, trigger a script after message has been queued to modify
the From header (perhaps AlterMIME can be used for this?)
/Tobias
On 2016-04-03 12:32, Hamy wrote:
Hi, thank you for your response. But i don't think that any of those
actually apply to my situation.
they're all restrictions applied to 'MAIL FROM:' envelope, and as I've
said earlier, I've already taken care of that and it works fine. what
I'm talking about is the 'From:' field of the message header (not the
envelope). i want to enforce matching it against the 'MAIL FROM:'
envelope. for example if the user is SASL authenticated as
us...@example.com , she is allowed(and enforced) to use:
MAIL FROM:<us...@example.com>
Now i want to match that against the message header 'From:'. the user
should be only allowed to use something like this in the header:
From: /nickname /<us...@example.com>
Anything else, should be rejected.
Any ideas?
Thanks in advace.
On Sunday, 3 April 2016, 14:42, Tobias <lists.zx...@otaking.se> wrote:
On 2016-04-03 04:35, Hamy wrote:
Hi
I am using /smtpd_sender_login_maps/ on submission port to enforce
the envelope 'mail from:' command, and its working as expected. the
problem however is that the user can still use any arbitrary 'From:'
header field that she wants and opendkim will happily sign it. I am
looking for a way to enforce the from: header filed to match the sasl
authenticated username. ideally this should happen before queuing so
i can reject the message while smtp session is still in progress.
It is my understanding that /header_checks/ can't be used for this as
it's functionality is very limited.
What are my options? can anyone please help?
Thank you in advance
Best Regards,
A quick search uncovered four options for *smtpd_sender_restrictions*
which you should check.
*reject_authenticated_sender_login_mismatch*
Enforces thereject_sender_login_mismatch
<http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>restriction
for authenticated clients only. This feature is available in
Postfix version 2.1 and later.
*reject_known_sender_login_mismatch*
Apply thereject_sender_login_mismatch
<http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>restriction
only to MAIL FROM addresses that are known in
$smtpd_sender_login_maps
<http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>.
This feature is available in Postfix version 2.11 and later.
*reject_sender_login_mismatch*
Reject the request when $smtpd_sender_login_maps
<http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>specifies
an owner for the MAIL FROM address, but the client is not (SASL)
logged in as that MAIL FROM address owner; or when the client is
(SASL) logged in, but the client login name doesn't own the MAIL
FROM address according to $smtpd_sender_login_maps
<http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>.
*reject_unauthenticated_sender_login_mismatch*
Enforces thereject_sender_login_mismatch
<http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>restriction
for unauthenticated clients only. This feature is available in
Postfix version 2.1 and later.
BR
Tobias
