How to restrict the field "From" mismatch for emails and prevent outbound mail spoofing? – Plesk Help Center

Applicable to:

Plesk Onyx for Linux

Question

How to restrict the field "From" mismatch and prevent outbound mail spoofing?

Answer

Warning: This solution may disrupt mail functionality, such as Plesk notifications, Postfix sendmail wrapper, or other features.

Note: Postfix 2.1 or newer is required for the "reject_sender_login_mismatch" restriction.

Connect to the server via SSH.
Change value of "smtpd_sender_restrictions" in /etc/postfix/main.cf so Postfix prevents sending messages if a logged-in mail user is different from the one written in "From" field:

# sed -i.bkp 's/smtpd_sender_restrictions =/smtpd_sender_restrictions = reject_sender_login_mismatch,/' /etc/postfix/main.cf

Note: backup of /etc/postfix/main.cf will be automatically created in /etc/postfix/ directory.
Add lookup key value for authentication ID in /etc/postfix/main.cf:

# echo 'smtpd_sender_login_maps = hash:/var/spool/postfix/plesk/virtual' >> /etc/postfix/main.cf
Restart Postfix:

# service postfix restart

Note: The setting will be applied server-wide.

This configuration can be tested with the following commands:

# touch message
# curl -k --url "smtp://127.0.0.1" --mail-from "spoofing@example.com" --mail-rcpt "jdoe2@example.com" --upload-file ./message --user 'jdoe2@example.com:password' --ssl
<...>
curl: (55) RCPT failed: 553

where "spoofing@example.com" - forged "From" field.
"jdoe2@example.com" - any recipient.
"jdoe2@example.com" - mailbox from the server.

submission inet n - - - - smtpd
-o smtpd_enforce_tls=no
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o smtpd_end_of_data_restrictions=$submission_end_of_data_restrictions

Comments

4 comments

Siniša Burina November 02, 2018 08:28
Hi!

On Debian jessie, with postfix version 2.11.3-1+deb8u2, I'm getting the following notification in the log file, and the solution does not work:
```
warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
warning: restriction `reject_unauthenticated_sender_login_mismatch' ignored: no SASL support
```
Can you please advise?
0

Comment actions Permalink
Siniša Burina November 02, 2018 10:20
Solved!

Here's the information, in case someone else bumps into the same issue.

The above-mentioned restriction, if put into the main.cf file, actually gets enabled to both incoming SMTP connections and submissions, which is not what we really want. So, instead of configuring it in main.cf, put it in master.cf, submission config:
```
submission inet n - - - - smtpd
 -o smtpd_enforce_tls=no
 -o smtpd_tls_security_level=may
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
 -o smtpd_recipient_restrictions=$submission_recipient_restrictions
 -o smtpd_end_of_data_restrictions=$submission_end_of_data_restrictions
```
Et voila! :)
0

Comment actions Permalink
Alexandr Redikultsev November 03, 2018 05:28

Hi @Siniša Burina!

Thanks for sharing!

0

Comment actions Permalink
Siniša Burina November 17, 2018 20:23

Hey! What happened to my previous post? Was it dangerous in some way so you decided to remove it?

0

Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Articles in this section

Applicable to:

Question

Answer

Related articles