I want to prevent spoofing so I found this postfix option:
smtpd_sender_login_maps (default: empty)
Optional lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
...
Then I found this answer: https://serverfault.com/a/710235/371610 that says how to use a regex so that in setups with multiple virtual domains and many users there's no need to edit the table to add or remove:
/etc/postfix/login_map:
/^(.*)$/ ${1}
/etc/postfix/main.cf:
smtpd_sender_login_maps=pcre:/etc/postfix/login_maps
smtpd_relay_restrictions = permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_unauth_destination
Same error with:
smtpd_sender_login_maps=pcre:/etc/postfix/login_maps
smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_sender_login_mismatch
The problem is that with that regex incoming mails (from hotmail or gmail for example) are being rejected with the error:
NOQUEUE: reject: RCPT from mail-oln040092064102.outbound.protection.outlook.com[40.92.64.102]: 553 5.7.1 [email protected]: Sender address rejected: not logged in; [email protected] [email protected] proto=ESMTP helo=<EUR01-DB5-obe.outbound.protection.outlook.com>
Is there any way to do this without having to write a table mapping each email to itself:
[email protected] [email protected]
[email protected] [email protected]
etc...
Or would it be better to use sql, and then selecting two times the column that has the complete email address? What do you think? I'm about to migrate the virtual domains/users to sql.
EDIT
I have moved reject_sender_login_mismatch as suggested:
smtpd_sender_login_maps=pcre:/etc/postfix/login_maps
smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_sender_login_mismatch
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
But I'm still getting the same Sender address rejected: not logged in; error.
This is my config:
# postconf -n
alias_database = $alias_maps
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = no
command_directory = /usr/bin
compatibility_level = 2
daemon_directory = /usr/lib/postfix/bin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_protocols = ipv4
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
milter_default_action = accept
mydestination = localhost
myhostname = mail.domain.com
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix
sample_directory = /etc/postfix
sendmail_path = /usr/bin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_exclude_ciphers = aNULL:eNULL:MEDIUM:LOW:EXPORT:EXP:3DES:DSS:RC4:SEED:ECDSA:MD5:PSK
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = HIGH
smtp_tls_mandatory_protocols = !SSLv2:!SSLv3:!TLSv1
smtp_tls_protocols = !SSLv2:!SSLv3
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_enforce_tls = yes
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_milters = unix:/run/opendkim/opendkim.sock
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noplaintext, noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/login_maps
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_sender_login_mismatch
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/domain.com/fullchain.pem
smtpd_tls_eecdh_grade = ultra
smtpd_tls_exclude_ciphers = aNULL:eNULL:MEDIUM:LOW:EXPORT:EXP:3DES:DSS:RC4:SEED:ECDSA:MD5:PSK
smtpd_tls_key_file = /etc/letsencrypt/live/domain/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = HIGH
smtpd_tls_mandatory_protocols = !SSLv2:!SSLv3:!TLSv1
smtpd_tls_protocols = !SSLv2:!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
tls_ssl_options = NO_COMPRESSION
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:73
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains = domain.com another.com yetanother.com
virtual_mailbox_limit = 0
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 50
virtual_uid_maps = static:73
And /etc/postfix/login_maps:
[email protected] [email protected]
[email protected] [email protected]
etc...
This way it's working, no matter where I place reject_sender_login_mismatch. And again, no matter where I place it, if I use a regex I'm getting the error. So right now is inside smtpd_sender_restrictions, shouldn't only target outgoing (virtual domains only) mail instead of incoming too?
Just because the option sounds right, doesn't mean that you can use it for the intended purpose.
There's a difference between
smtpd_relay_restrictionsandsmtpd_sender_restrictionsfor which thereject_sender_login_mismatchrestriction was meant. External users don't login to your server to send mails to you, so it does not make sense to check if there is a mismatch.The check is to prevent a logged in user A from changing the envelope address to something other than what he or she is allowed in the
smtpd_sender_login_maps. The check does not prevent your users from spoofing (e.g. A could still pretend to be anybody like another user B by sending a message with a different from: header field).Check out Does postfix reject spoofed senders? for further pointers on this topic.