Applicable to:
- Plesk Onyx for Linux
Question
How to restrict the field "From" mismatch and prevent outbound mail spoofing?
Answer
Warning: This solution may disrupt mail functionality, such as Plesk notifications, Postfix sendmail wrapper, or other features.
Note: Postfix 2.1 or newer is required for the "reject_sender_login_mismatch" restriction.
-
Connect to the server via SSH.
- Backup configuration files:
# cp -a /etc/postfix/main.cf{,.bak}
-
Change value of "smtpd_sender_restrictions" in
/etc/postfix/main.cf
so Postfix prevents sending messages if a logged-in mail user is different from the one written in "From" field:# postconf smtpd_sender_restrictions="reject_sender_login_mismatch, `postconf -h smtpd_sender_restrictions`"
-
Add lookup key value for authentication ID in
/etc/postfix/main.cf
:# postconf smtpd_sender_login_maps=hash:/var/spool/postfix/plesk/virtual
-
Restart Postfix:
# service postfix restart
Note: The setting will be applied server-wide.
This configuration can be tested with the following commands:
# touch message
# curl -k --url "smtp://127.0.0.1" --mail-from "spoofing@example.com" --mail-rcpt "jdoe2@example.com" --upload-file ./message --user 'jdoe2@example.com:password' --ssl
<...>
curl: (55) RCPT failed: 553
where "spoofing@example.com" - forged "From" field.
"jdoe2@example.com" - any recipient.
"jdoe2@example.com" - mailbox from the server.
Comments
5 comments
Hi!
On Debian jessie, with postfix version 2.11.3-1+deb8u2, I'm getting the following notification in the log file, and the solution does not work:
Can you please advise?
Solved!
Here's the information, in case someone else bumps into the same issue.
The above-mentioned restriction, if put into the main.cf file, actually gets enabled to both incoming SMTP connections and submissions, which is not what we really want. So, instead of configuring it in main.cf, put it in master.cf, submission config:
Et voila! :)
Hi @Siniša Burina!
Thanks for sharing!
Hey! What happened to my previous post? Was it dangerous in some way so you decided to remove it?
If incoming connections on port 25 are blocked there is an easier solution, which doesn't disrupt mail functionality, such as Plesk notifications, Postfix sendmail wrapper, or other features.
The solution is, just to block SASL authenticated messages instead of all messages.
Make sure to block incoming TCP connections on Port 25. Unauthenticated mails will not be checked for Sender / FROM mismatch.
New SMTP behaviour:
Allowed senders for SMTPS (465) and SMTP STARTTLS (587):
Please sign in to leave a comment.