On Monday, 30 October 2017 7:52:05 PM AEDT micah anderson wrote: > ehlo, > > tl;dr: Is there really no way in postfix to restrict what "From" headers > a user may specify? > > For outgoing mail, we would like to restrict the "From" header to match > the address users SASL authenticate with, or is configured as an alias > in their account. We have setup smtpd_sender_login_maps to use a SQL map > and configured smtpd_sender_restrictions to have the configuration > option reject_authenticated_sender_login_mismatch before > permit_sasl_authenticated. This works as expected. > > However the problem is that the envelope "From" is being restricted, not > the header "From". Users must specify the correct SMTP "MAIL FROM:" but > are still able to provide a different "From:" value in the header of the > message provided in the DATA stage of the SMTP discussion. The postfix > option "reject_authenticated_sender_login_mismatch" only enforces the > envelope sender to be correct. > > It doesn't appear that there is a postfix config option that will take > care of this. The only method of restricting the "From" header we have > found is through a milter (eg. https://github.com/magcks/milterfrom.git) > which compares the envelope sender with the sender specified in the mail > header for authenticated users, thus ensuring that the sender specified > in the header matches the envelope sender. > > It strikes me as odd that there is no way to do this in postfix, and > that the only solution seems to be a milter that someone wrote only a > couple months ago. I would have expected people to have solved this > problem a long time ago, which makes me wonder -- am I doing this right, > or missing something? In particular, it doesn't make sense to enable > DKIM signing of the "From" header without strongly verifying that the > user has permission to use that address.
A milter is the right way. Postfix does implement header_checks which can inspect the From header, however it looks like they only support the regexp and pcre table types, so might not be useful. It's also inconvenient because these checks won't deal with multiple forms such as different encodings and can only process one header at a time. > > On a related note, because I am specifying a SQL table for the > smtpd_sender_login_maps, I configured it using proxy:mysql, which meant > I had to override proxy_read_maps to allow that. It is unclear to me the > risks of adding something to proxy_read_maps and am looking for more > clarity on what exactly this does. Documentation simply states, "The > lookup tables that the proxymap(8) server is allowed to access for the > read-only service", are there security concerns or other trade-offs with > adding lookup tables to do this? > > thanks, > micah
