On Thu, Oct 20, 2016 at 02:46:15PM +0100, Paweł Grzesik wrote: > I noticed that it's really easy to send an e-mail as a real user > by simply typing in the mail body: > > From: <mail> > > Is there any way to prevent from this? I checked that even when > we specify > MAIL FROM: <not_existing_user> > > and then in the body: > From: <real_user> > > postfix will send an e-mail with From: <real_user>, the one > from the body. It sounds not right.
[Having read the rest of the thread] I think you are just now discovering what has been known about Internet mail for many years. You might also be interested to know about the SMTP "envelope", which is the entire basis for mail and bounce routing. Headers are not used for routing mail. The "MAIL FROM:" address is the envelope sender (and the recipient if a bounce has to be sent), and the "RCPT TO:" addresses (there can be numerous given for a single mail transaction) are the envelope recipients. See here if you want to control the use of bogus envelope senders in your domains: http://www/postfix.org/postconf.5.html#smtpd_reject_unlisted_sender If you're interested in somehow enforcing From: header and envelope sender matching, that cannot be done natively in Postfix. And it's probably not a good idea anyway. Consider this email and others you see from mailing lists. Mine is sent out with: "From: /dev/rob0 <r...@gmx.co.uk>" but you get it from the list server as envelope sender. Read up about things like DKIM, SPF, DMARC, if you are interested in what others have been doing, trying to graft a fix for this problem onto the Internet mail specifications. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
