[Please ignore my last email as this was sent by mistake before it was finished]
Hi, We have an internet facing MX server whereby all users authenticate their outgoing connection to submit emails via port 587. This MX server routes incoming mail for our domain to an internal postfix smtp server which then delivers mail to local imap servers. The internal postfix smtp server users LDAP alias_maps = ldap:/etc/postfix/ ldap-aliases.cf, to lookup which imap server a users mailbox resides on. There is a postfix option... reject_sender_login_mismatch that can be mapped... smtpd_sender_login_maps = ldap:/etc/postfix/smtpd_sender_login.cf However - I get the following error Jul 4 11:23:26 smtp-1.domain1.com postfix/smtpd[31530]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support No users authenticate to the internal postfix smtp server - all it does is route emails from the MX server. I believe the reason I see the warning "no SASL support" is because postfix doesn't handle the authentication as it's taken care of by the MX server. postconf -n alias_database = hash:/etc/aliases alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 51200000 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mx3.$mydomain, mx1.$mydomain, mx2.$mydomain mydomain = domain1.com myhostname = smtp-1.domain1.com mynetworks = xxx.xxx.192.0/21, xxx.62.52.0/22, 10.0.0.0/8, xxx.16.0.0/12, xxx.168.0.0/16 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch unknown_local_recipient_reject_code = 550 --- However, with a different config "smtpd_sender_restrictions = reject_unverified_sender" If the "envelope From field" contains an invalid forged address the following is logged - which is great to stop unknown email address being forged - but doesn't help if it's forged with a known email address. NOQUEUE: reject: RCPT from mx.domain1.com[xxx.xxx.192.130]: 450 4.1.7 < he...@domain1.com>: Sender address rejected: unverified address: unknown user: "hejem"; from=<he...@domain1.com> to=<te...@domain1.com> proto=ESMTP helo=<smtp-1.domain1.com> -bash-4.1$ postconf -n alias_database = hash:/etc/aliases alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 51200000 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mx3.$mydomain, mx1.$mydomain, mx2.$mydomain mydomain = domain1.com myhostname = smtp-1.domain1.com mynetworks = xxx.xxx.192.0/21, xxx.62.52.0/22, 10.0.0.0/8, xxx.16.0.0/12, xxx.168.0.0/16 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_sender_restrictions = reject_unverified_sender What I want to achieve is my local internal postfix to check the "envelope >From field" to ensure it's not been spoofed by knowing the sending user's username and looking up it's assigned "From" aliases in LDAP if it doesn't match i.e. they're spoofing then reject the mail. Any advice how to implement this check in postfix? Thanks
