I have a Linux server with local accounts (they are used by PHP-FPM processes) that are using Postfix's sendmail binary to send e-mails.
All e-mails are sent through local Postfix to a central mailhub that considers e-mails from hosting server as trustworthy, to some degree (they are trusted more then e-mails from the internet).
The problem is that any local user can send e-mail as any sender (parameter -f
of the sendmail binary, or Return-Path).
I would like to limit allowed senders per a user - that is to define which user can send e-mails as which sender / sender domain. When a user then would send an e-mail as wrong sender, the e-mail should be dropped.
I did not find any solution to map UID or local username to sender.
The only solution I found is use a SMTP instead, to create a Postfix account and password for each local user and then use directive like reject_sender_login_mismatch
in smtpd_sender_restrictions
. That is more difficult to configure and maintain and is not using the benefit of the fact the users are already authenticated by system and I would like to avoid that.
The answer to my own question is create a shell wrapper around sendmail binary to do all the necessary checks and use this wrapper in the PHP-FPM's configuration instead of sendmail binary.
AFAIK there is no other solution.