On 7/4/2016 5:55 AM, Jack Beanstallk wrote: > [Please ignore my last email as this was sent by mistake before it > was finished] > > Hi, > > We have an internet facing MX server whereby all users authenticate > their outgoing connection to submit emails via port 587. This MX > server routes incoming mail for our domain to an internal postfix > smtp server which then delivers mail to local imap servers. > > The internal postfix smtp server users LDAP alias_maps = > ldap:/etc/postfix/ldap-aliases.cf <http://ldap-aliases.cf>, to > lookup which imap server a users mailbox resides on. > > There is a postfix option... > reject_sender_login_mismatch > that can be mapped... > smtpd_sender_login_maps = ldap:/etc/postfix/smtpd_sender_login.cf > <http://smtpd_sender_login.cf> > > However - I get the following error > > Jul 4 11:23:26 smtp-1.domain1.com <http://smtp-1.domain1.com> > postfix/smtpd[31530]: warning: restriction > `reject_authenticated_sender_login_mismatch' ignored: no SASL support > > No users authenticate to the internal postfix smtp server - all it > does is route emails from the MX server. I believe the reason I see > the warning "no SASL support" is because postfix doesn't handle the > authentication as it's taken care of by the MX server. > > postconf -n > > alias_database = hash:/etc/aliases > alias_maps = ldap:/etc/postfix/ldap-aliases.cf > <http://ldap-aliases.cf>, hash:/etc/aliases > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/libexec/postfix > data_directory = /var/lib/postfix > debug_peer_level = 2 > html_directory = no > inet_interfaces = all > inet_protocols = ipv4 > mail_owner = postfix > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > message_size_limit = 51200000 > mydestination = $myhostname, localhost.$mydomain, localhost, > $mydomain, mx3.$mydomain, mx1.$mydomain, mx2.$mydomain > mydomain = domain1.com <http://domain1.com> > myhostname = smtp-1.domain1.com <http://smtp-1.domain1.com> > mynetworks = xxx.xxx.192.0/21, xxx.62.52.0/22, 10.0.0.0/8 > <http://10.0.0.0/8>, xxx.16.0.0/12, xxx.168.0.0/16 > myorigin = $mydomain > newaliases_path = /usr/bin/newaliases.postfix > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES > sample_directory = /usr/share/doc/postfix-2.6.6/samples > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf > <http://ldap-senders.cf> > smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch > unknown_local_recipient_reject_code = 550 > > --- > > However, with a different config "smtpd_sender_restrictions = > reject_unverified_sender" > > If the "envelope From field" contains an invalid forged address the > following is logged - which is great to stop unknown email address > being forged - but doesn't help if it's forged with a known email > address. > > NOQUEUE: reject: RCPT from mx.domain1.com > <http://mx.domain1.com>[xxx.xxx.192.130]: 450 4.1.7 > <he...@domain1.com <mailto:he...@domain1.com>>: Sender address > rejected: unverified address: unknown user: "hejem"; > from=<he...@domain1.com <mailto:he...@domain1.com>> > to=<te...@domain1.com <mailto:te...@domain1.com>> proto=ESMTP > helo=<smtp-1.domain1.com <http://smtp-1.domain1.com>> > > > -bash-4.1$ postconf -n > alias_database = hash:/etc/aliases > alias_maps = ldap:/etc/postfix/ldap-aliases.cf > <http://ldap-aliases.cf>, hash:/etc/aliases > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/libexec/postfix > data_directory = /var/lib/postfix > debug_peer_level = 2 > html_directory = no > inet_interfaces = all > inet_protocols = ipv4 > mail_owner = postfix > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > message_size_limit = 51200000 > mydestination = $myhostname, localhost.$mydomain, localhost, > $mydomain, mx3.$mydomain, mx1.$mydomain, mx2.$mydomain > mydomain = domain1.com <http://domain1.com> > myhostname = smtp-1.domain1.com <http://smtp-1.domain1.com> > mynetworks = xxx.xxx.192.0/21, xxx.62.52.0/22, 10.0.0.0/8 > <http://10.0.0.0/8>, xxx.16.0.0/12, xxx.168.0.0/16 > myorigin = $mydomain > newaliases_path = /usr/bin/newaliases.postfix > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES > sample_directory = /usr/share/doc/postfix-2.6.6/samples > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtpd_sender_restrictions = reject_unverified_sender > > > What I want to achieve is my local internal postfix to check the > "envelope From field" to ensure it's not been spoofed by knowing the > sending user's username and looking up it's assigned "From" aliases > in LDAP if it doesn't match i.e. they're spoofing then reject the mail. > > Any advice how to implement this check in postfix? > > Thanks > >
This is not something built into postfix. As an alternative, use SPF and DKIM to detect forged mail claiming to be from your own domain. -- Noel Jones
