On 19/05/16 00:38, Wietse Venema wrote:
Wietse Venema:
A brief example:
/etc/postfix/sender_access:
example.com reject Sender address requires authentication
other.example reject Sender address requires authentication
Do "postmap /etc/postfix/sender_access", then add this to main.cf:
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_sender_access hash:/etc/postfix/sender_access
With this, only senders in a trusted network, or authenticated
senders, can do "MAIL FROM:<u...@example.com>" etc.
This does not restrict the address in the From: message header.
BTW this means that you have to do your "telnet" tests from a
remote IP address!
Wietse
And it will also break forwarding for your users. e.g. u...@example.com
sends to a mailing list
that they're a member of and the mailing list doesn't alter the envelope
sender, or sends to their friend
at user2@alumni.example who has their mail forwarded back to
us...@example.com. A way to
allow this but prevent forgeries would be to set up DKIM or BATV and
reject email with an invalid signature
for the email or the envelope sender.
