On Mon, Sep 05, 2016 at 07:23:10PM +0200, Sebastian Nielsen wrote: > No, you're wrong. What the OP should do, is to enforce SPF/DKIM on > specific RECEIVERS. For example, enforcing SPF/DKIM on for example > webappad...@example.org.
It's important to remember what each step is actually authenticating / verifying. Both SPF and DKIM verify that a _server_ is authorized to send mail on behalf of a _domain_. Nothing in either does any sort of checking / validation of the envelope sender username. Thus, if the sending mail server allows an authenticated user to send mail as any envelope sender, that user could send SPF / DKIM valid mail as a sender they are not authorized to represent. I have never personally dug into this as it is not an issue for my use case, but there would need to be some configuration in postfix that limits which envelope senders are allowed to be used by which user / vusers in order to ensure full authentication based on envelope sender. --Sean
