Articles in this section

See more

How to restrict the field "From" mismatch for emails and prevent outbound mail spoofing?

Avatar
Ekaterina Babenko
Updated
Follow

Applicable to:

  • Plesk Onyx for Linux

Question

How to restrict the field "From" mismatch and prevent outbound mail spoofing?

Answer

Warning: This solution may disrupt mail functionality, such as Plesk notifications, Postfix sendmail wrapper, or other features.

Note: Postfix 2.1 or newer is required for the "reject_sender_login_mismatch" restriction.

  1. Connect to the server via SSH.

  2. Backup configuration files:

    # cp -a /etc/postfix/main.cf{,.bak}

  3. Change value of "smtpd_sender_restrictions" in /etc/postfix/main.cf so Postfix prevents sending messages if a logged-in mail user is different from the one written in "From" field:

    # postconf smtpd_sender_restrictions="reject_sender_login_mismatch, `postconf -h smtpd_sender_restrictions`"

  4. Add lookup key value for authentication ID in /etc/postfix/main.cf:

    # postconf smtpd_sender_login_maps=hash:/var/spool/postfix/plesk/virtual

  5. Restart Postfix:

    # service postfix restart

    Note: The setting will be applied server-wide.

This configuration can be tested with the following commands:

# touch message
# curl -k --url "smtp://127.0.0.1" --mail-from "spoofing@example.com" --mail-rcpt "jdoe2@example.com" --upload-file ./message --user 'jdoe2@example.com:password' --ssl
<...>
curl: (55) RCPT failed: 553

where "spoofing@example.com" - forged "From" field.
"jdoe2@example.com" - any recipient.
"jdoe2@example.com" - mailbox from the server.

Comments

4 comments

Sort by Date Votes
  • Avatar
    Siniša Burina

    Hi!

    On Debian jessie, with postfix version 2.11.3-1+deb8u2, I'm getting the following notification in the log file, and the solution does not work:

    warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
    warning: restriction `reject_unauthenticated_sender_login_mismatch' ignored: no SASL support

    Can you please advise?

     

    0
    Comment actions Permalink
  • Avatar
    Siniša Burina

    Solved!

    Here's the information, in case someone else bumps into the same issue.

    The above-mentioned restriction, if put into the main.cf file, actually gets enabled to both incoming SMTP connections and submissions, which is not what we really want. So, instead of configuring it in main.cf, put it in master.cf, submission config:

    submission inet n - - - - smtpd
     -o smtpd_enforce_tls=no
     -o smtpd_tls_security_level=may
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
     -o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
     -o smtpd_recipient_restrictions=$submission_recipient_restrictions
     -o smtpd_end_of_data_restrictions=$submission_end_of_data_restrictions

    Et voila! :)

    0
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hi @Siniša Burina!

    Thanks for sharing!

    0
    Comment actions Permalink
  • Avatar
    Siniša Burina

    Hey! What happened to my previous post? Was it dangerous in some way so you decided to remove it?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles