How to restrict mismatch of "From" header for emails and prevent outbound mail spoofing on Plesk for Linux server with Postfix?

Updated October 15, 2022 18:51

Plesk for Linux kb: how-to

Applicable to:

Plesk for Linux

Question

How to restrict mismatch of the "From" header for emails and prevent outbound mail spoofing on Plesk for Linux server with Postfix?

Answer

Warning: This solution may disrupt mail functionality, such as Plesk notifications, Postfix sendmail wrapper, or other features.

Note: Postfix 2.1 or newer is required for the "reject_sender_login_mismatch" restriction.

Connect to the server using SSH.
Backup the Postfix configuration file:
# cp -a /etc/postfix/main.cf{,.bak}
Change value of the parameter "smtpd_sender_restrictions" in the file /etc/postfix/main.cf so Postfix prevents sending messages if a logged-in mail user differs from the one in the "From" header:

# postconf smtpd_sender_restrictions="reject_sender_login_mismatch, `postconf -h smtpd_sender_restrictions`"
Add lookup key value for authentication ID in the file /etc/postfix/main.cf:

# postconf smtpd_sender_login_maps=hash:/var/spool/postfix/plesk/virtual
Restart Postfix:

# service postfix restart

Note: The setting will be applied server-wide.

This configuration can be tested with the following commands:

# touch message
# curl -k --url "smtp://127.0.0.1" --mail-from "spoofing@example.com" --mail-rcpt "jdoe2@example.com" --upload-file ./message --user 'jdoe2@example.com:password' --ssl
<...>
curl: (55) RCPT failed: 553

where "spoofing@example.com" - forged "From" field.
"jdoe2@example.com" - any recipient.
"jdoe2@example.com" - mailbox from the server.

submission inet n - - - - smtpd
-o smtpd_enforce_tls=no
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o smtpd_end_of_data_restrictions=$submission_end_of_data_restrictions

# /etc/postfix/main.cf

smtpd_sender_login_maps = hash:/var/spool/postfix/plesk/virtual
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated

Comments

6 comments

Sinisa Burina November 02, 2018 08:28
Hi!

On Debian jessie, with postfix version 2.11.3-1+deb8u2, I'm getting the following notification in the log file, and the solution does not work:
```
warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
warning: restriction `reject_unauthenticated_sender_login_mismatch' ignored: no SASL support
```
Can you please advise?
0

Comment actions Permalink
Sinisa Burina November 02, 2018 10:20
Solved!

Here's the information, in case someone else bumps into the same issue.

The above-mentioned restriction, if put into the main.cf file, actually gets enabled to both incoming SMTP connections and submissions, which is not what we really want. So, instead of configuring it in main.cf, put it in master.cf, submission config:
```
submission inet n - - - - smtpd
 -o smtpd_enforce_tls=no
 -o smtpd_tls_security_level=may
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
 -o smtpd_recipient_restrictions=$submission_recipient_restrictions
 -o smtpd_end_of_data_restrictions=$submission_end_of_data_restrictions
```
Et voila! :)
0

Comment actions Permalink
Alexandr Redikultsev November 03, 2018 05:28

Hi @Siniša Burina!

Thanks for sharing!

0

Comment actions Permalink
Sinisa Burina November 17, 2018 20:23

Hey! What happened to my previous post? Was it dangerous in some way so you decided to remove it?

0

Comment actions Permalink
Linus Holtstiege December 08, 2020 11:50 (Edited December 08, 2020 12:00)
If incoming connections on port 25 are blocked there is an easier solution, which doesn't disrupt mail functionality, such as Plesk notifications, Postfix sendmail wrapper, or other features.

The solution is, just to block SASL authenticated messages instead of all messages.
```
# /etc/postfix/main.cf

smtpd_sender_login_maps = hash:/var/spool/postfix/plesk/virtual
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated
```
Make sure to block incoming TCP connections on Port 25. Unauthenticated mails will not be checked for Sender / FROM mismatch.

New SMTP behaviour:
- SMTP (25): X Sender Login Mismatch won't be rejected
- SMTP (SSL) (465): ✓ Sender Login Mismatch will be rejected
- SMTP (STARTTLS) (587): ✓ Sender Login Mismatch will be rejected
Allowed senders for SMTPS (465) and SMTP STARTTLS (587):
- Primary Inbox Address (demo@domain.com)
- All defined Alias Addresses (alias1@domain.com, alias2@domain.com)
0

Comment actions Permalink
WN Licenses September 29, 2022 20:27
After applying this configuration, if a domain has it mail service disabled, emails sent from a remote server using that domain are rejected:
```
553 5.7.1 <user@domain.tld>: Sender address rejected: not logged in
```
Is there any fix for that ?
0

Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Articles in this section

Applicable to:

Question

Answer

Related articles