ehlo, tl;dr: Is there really no way in postfix to restrict what "From" headers a user may specify?
For outgoing mail, we would like to restrict the "From" header to match the address users SASL authenticate with, or is configured as an alias in their account. We have setup smtpd_sender_login_maps to use a SQL map and configured smtpd_sender_restrictions to have the configuration option reject_authenticated_sender_login_mismatch before permit_sasl_authenticated. This works as expected. However the problem is that the envelope "From" is being restricted, not the header "From". Users must specify the correct SMTP "MAIL FROM:" but are still able to provide a different "From:" value in the header of the message provided in the DATA stage of the SMTP discussion. The postfix option "reject_authenticated_sender_login_mismatch" only enforces the envelope sender to be correct. It doesn't appear that there is a postfix config option that will take care of this. The only method of restricting the "From" header we have found is through a milter (eg. https://github.com/magcks/milterfrom.git) which compares the envelope sender with the sender specified in the mail header for authenticated users, thus ensuring that the sender specified in the header matches the envelope sender. It strikes me as odd that there is no way to do this in postfix, and that the only solution seems to be a milter that someone wrote only a couple months ago. I would have expected people to have solved this problem a long time ago, which makes me wonder -- am I doing this right, or missing something? In particular, it doesn't make sense to enable DKIM signing of the "From" header without strongly verifying that the user has permission to use that address. On a related note, because I am specifying a SQL table for the smtpd_sender_login_maps, I configured it using proxy:mysql, which meant I had to override proxy_read_maps to allow that. It is unclear to me the risks of adding something to proxy_read_maps and am looking for more clarity on what exactly this does. Documentation simply states, "The lookup tables that the proxymap(8) server is allowed to access for the read-only service", are there security concerns or other trade-offs with adding lookup tables to do this? thanks, micah
