How to restrict the field "From" mismatch for emails and prevent outbound mail spoofing?

Follow

Comments

5 comments

  • Avatar
    Siniša Burina

    Hi!

    On Debian jessie, with postfix version 2.11.3-1+deb8u2, I'm getting the following notification in the log file, and the solution does not work:

    warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
    warning: restriction `reject_unauthenticated_sender_login_mismatch' ignored: no SASL support

    Can you please advise?

     

    0
    Comment actions Permalink
  • Avatar
    Siniša Burina

    Solved!

    Here's the information, in case someone else bumps into the same issue.

    The above-mentioned restriction, if put into the main.cf file, actually gets enabled to both incoming SMTP connections and submissions, which is not what we really want. So, instead of configuring it in main.cf, put it in master.cf, submission config:

    submission inet n - - - - smtpd
    -o smtpd_enforce_tls=no
    -o smtpd_tls_security_level=may
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
    -o smtpd_recipient_restrictions=$submission_recipient_restrictions
    -o smtpd_end_of_data_restrictions=$submission_end_of_data_restrictions

    Et voila! :)

    0
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hi @Siniša Burina!

    Thanks for sharing!

    0
    Comment actions Permalink
  • Avatar
    Siniša Burina

    Hey! What happened to my previous post? Was it dangerous in some way so you decided to remove it?

    0
    Comment actions Permalink
  • Avatar
    Linus (Edited )

    If incoming connections on port 25 are blocked there is an easier solution, which doesn't disrupt mail functionality, such as Plesk notifications, Postfix sendmail wrapper, or other features.

    The solution is, just to block SASL authenticated messages instead of all messages. 


    # /etc/postfix/main.cf

    smtpd_sender_login_maps = hash:/var/spool/postfix/plesk/virtual
    smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated

    Make sure to block incoming TCP connections on Port 25. Unauthenticated mails will not be checked for Sender / FROM mismatch.

     

    New SMTP behaviour:

    • SMTP (25): X Sender Login Mismatch won't be rejected
    • SMTP (SSL) (465): ✓ Sender Login Mismatch will be rejected
    • SMTP (STARTTLS) (587): ✓ Sender Login Mismatch will be rejected


    Allowed senders for SMTPS (465) and SMTP STARTTLS (587):

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request