On 2020-09-30 20:32, Jaroslaw Rafa wrote: > Dnia 30.09.2020 o godz. 16:35:37 Wietse Venema pisze: >> With authenticated smtp submission, the envelope.from can be >> constrained by smtpd_sender_login_maps. >> >> With sendmail/postdrop submission the UNIX login name can be >> overidden with "sendmail -f". There is no code in Postfix to >> lock down "sendmail -f", and there is no 'plugin' interface that >> could do this, either. I don't like the idea of adding complex >> logic to the set-gid postdrop command to lock down "sendmail >> -f". Doing the lockdown in the pickup daemon would be more >> secure but has the problem that the 'reject' happens too late. > > Slightly off topic, but the original sendmail when "-f" parameter was used > added the following header to the sent message: > > X-Authentication-Warning: <hostname>: <original-username> set sender to > <sender-specified-with-f> using -f > > <original-username> was of course the user who was calling > /usr/sbin/sendmail. Is Postfix able to do similar thing?
This would meet my requirements as well; my understanding is that blocking a message containing a certain header is trivial. Demi
signature.asc
Description: OpenPGP digital signature
