Home / server / Questions / 318334
Accepted
Chris Lercher
Asked: 2011-10-05 06:13:02 +0800 CST

How to enforce sender address to be "[email protected]" in Postfix?

  • 772

I have set up a Postfix server with SMTP AUTH (STARTTLS on port 587). All my users are in the domain "example.org". I want to enforce the sender address to be "[email protected]".

I learned that this can be achieved with the main.cf options

smtpd_sender_restrictions = reject_sender_login_mismatch, ...
smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_maps

with a login_maps file like:

[email protected] a
[email protected] b
[email protected] c
...

(see also Block sender address spoofing with SMPT AUTH), but this would mean I'll have to edit the login_maps file every time I have a new user. I don't need such a flexible mapping: It should always be "[email protected]". Is there an easier option?

linux postfix smtp-auth

3 Answers

  1. Best Answer

    First, check whether your installation of Postfix supports pcre by entering the command postconf -m and looking for a line with pcre in it. Once you have verified that you have pcre support, you can do as follows:

    /etc/postfix/login_maps.pcre:

    /^(.*)@example\.org$/   ${1}

    In main.cf:

    smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre

    This should work fine.

    • 16

  2. The regex mentioned in the other answer matches the user part of the email address (logged-in-user@example.org). Here is some additional information.

    To use the full email address as username, use the following regex (for example in /etc/postfix/login_map):

    /^(.*)$/   ${1}

    This means that your username is always your full email address ([email protected]) - no other existing username is allowed to send from that address - and you don't have to update an additional Postfix config file everytime you add a user.

    This might be used on a server that has multiple domains configured. User [email protected] is only allowed to send from that address but not from [email protected] (different user and email, different person). The username john.doe would be ambiguous in this case.

    Also, depending on your configuration, the smtpd_sender_login_maps setting, which has to point to this file, may be in the master.cf (instead of main.cf). The official Dovecot documentation has the following example (if you're using SASL/submission):

    submission inet n - n - - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

    In this example, the setting should be adjusted to point to the right file and use regex or (better) pcre as type. Especially if a file called "virtual" is already used for another purpose (for example for virtual_alias_maps, as shown in an official Postfix example), another file should be used for the login mapping.

    From:

    smtpd_sender_login_maps=hash:/etc/postfix/virtual

    To:

    smtpd_sender_login_maps=pcre:/etc/postfix/login_map
    • 9

  3. Can you use combination of regexp on the header as shown here: http://www.akadia.com/services/postfix_uce.html? Then you can combine with regexp like [*@example.org] to ensure only sender from example.org.

    • 0