Hi list, I am having a bad time setting up a postifx configuration that allows sending mails only when the sender actually "owns" the "From:"-address.
I manage multiple domains the the login names are full qualified email addresses as well. My "alias" table looks like this (goto is the login name) +-------------------+------------------+------------+--------+ | address | goto | domain | active | +-------------------+------------------+------------+--------+ | ali...@domain.tld | us...@domain.tld | domain.tld | 1 | | ali...@domain.tld | us...@domain.tld | domain.tld | 1 | +-------------------+------------------+------------+--------+ and I want user1 to be able to send with "From: alias1@..." but not with "From: alias2@...". The corresponding query in sender_login_maps.cf reads "SELECT goto FROM alias WHERE address='%s' AND active = 1". So I put 'reject_authenticated_sender_login_mismatch' in 'smtpd_sender_restrictions' (see below for config files) but I still can send with any "From:"-address I want, e.g. madeup@not_my_domain.com. Now comes the strange part: The query itself works fine, because when I change it to "SELECT goto FROM alias WHERE address='not_in_database_for_sure' AND active = 1", I can't send any mails at all, as the address is not found. But when I try to send an email with "From: madeup@not_my_domain.com" the mysql server logs the following: "postfix/smtps/smtpd[11683]: NOQUEUE: reject: RCPT from...: 553 5.7.1 <us...@domain.tld>: Sender address rejected: not owned by user us...@domain.tld; from=<us...@domain.tld> to=<us...@domain.tld> proto=ESMTP helo=<[192.168.2.103]>" while I would have expected "postfix/smtps/smtpd[11683]: NOQUEUE: reject: RCPT from...: 553 5.7.1 <madeup@not_my_domain.com>: Sender address rejected: not owned by user us...@domain.tld; from=<madeup@not_my_domain.com> to=<us...@domain.tld> proto=ESMTP helo=<[192.168.2.103]>" So it looks like the mysql-server never actually sees "madeup@not_my_domain.com" but only "us...@domain.tld", which is valid. There is no address rewriting though, because the delivered mails are always send "From: <madeup@not_my_domain.com>". I had asked this question already here (https://unix.stackexchange.com/questions/330017/postfix-does-not-check-from-address-with-sender-login-maps), so feel free to answer there as well. Here are 'postconf -nf' and 'postconf -Mf': -------------------------------------------------------------------------------------------------------------- alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no bounce_queue_lifetime = 1h config_directory = /etc/postfix inet_interfaces = all lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3 lmtp_tls_protocols = !SSLv2, !SSLv3 mailbox_size_limit = 0 maximal_backoff_time = 15m maximal_queue_lifetime = 1h message_size_limit = 52428800 minimal_backoff_time = 5m mydestination = mydomain = domain.tld myhostname = mail.domain.tld mynetworks = 127.0.0.0/8 myorigin = $mydomain postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access postscreen_blacklist_action = drop postscreen_dnsbl_action = drop postscreen_dnsbl_sites = dnsbl.sorbs.net*1, bl.spamcop.net*1, ix.dnsbl.manitu.net*2, zen.spamhaus.org*2 postscreen_dnsbl_threshold = 2 postscreen_greet_action = drop queue_run_delay = 5m recipient_delimiter = + relay_domains = mysql:/etc/postfix/sql/relay_domains.cf relayhost = smtp_dns_support_level = dnssec smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_ciphers = high smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_recipient_restrictions = reject_sender_login_mismatch, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_type = dovecot smtpd_sender_login_maps = mysql:/etc/postfix/sql/sender_login_maps.cf smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated smtpd_tls_auth_only = yes smtpd_tls_cert_file = /home/letsencrypt/certificate/chained.pem smtpd_tls_ciphers = high smtpd_tls_dh1024_param_file = /etc/ssl/dhparams8192.pem smtpd_tls_key_file = /home/letsencrypt/keys/domain.key smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA tls_ssl_options = NO_COMPRESSION virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf virtual_gid_maps = static:3000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_uid_maps = static:3000 -------------------------------------------------------------------------------------------------------------- smtp inet n - n - 1 postscreen -o smtpd_sasl_auth_enable=no smtpd pass - - n - - smtpd -o smtpd_sasl_auth_enable=no dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o tls_preempt_cipherlist=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot -o smtpd_sasl_security_options=noanonymous -o smtpd_relay_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o cleanup_service_name=submission-header-cleanup pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache submission-header-cleanup unix n - n - 0 cleanup -o header_checks=regexp:/etc/postfix/submission_header_cleanup -------------------------------------------------------------------------------------------------------------- Best, Stephan
