How to restrict the field "From" mismatch for emails and prevent outbound mail spoofing?

Ekaterina Babenko

Updated December 08, 2020 12:00

Plesk Onyx for Linux kb: how-to ABT: Group B

Applicable to:

Plesk Onyx for Linux

Question

How to restrict the field "From" mismatch and prevent outbound mail spoofing?

Answer

Warning: This solution may disrupt mail functionality, such as Plesk notifications, Postfix sendmail wrapper, or other features.

Note: Postfix 2.1 or newer is required for the "reject_sender_login_mismatch" restriction.

Connect to the server via SSH.
Backup configuration files:
# cp -a /etc/postfix/main.cf{,.bak}
Change value of "smtpd_sender_restrictions" in /etc/postfix/main.cf so Postfix prevents sending messages if a logged-in mail user is different from the one written in "From" field:

# postconf smtpd_sender_restrictions="reject_sender_login_mismatch, `postconf -h smtpd_sender_restrictions`"
Add lookup key value for authentication ID in /etc/postfix/main.cf:

# postconf smtpd_sender_login_maps=hash:/var/spool/postfix/plesk/virtual
Restart Postfix:

# service postfix restart

Note: The setting will be applied server-wide.

This configuration can be tested with the following commands:

# touch message
# curl -k --url "smtp://127.0.0.1" --mail-from "spoofing@example.com" --mail-rcpt "jdoe2@example.com" --upload-file ./message --user 'jdoe2@example.com:password' --ssl
<...>
curl: (55) RCPT failed: 553

where "spoofing@example.com" - forged "From" field.
"jdoe2@example.com" - any recipient.
"jdoe2@example.com" - mailbox from the server.

submission inet n - - - - smtpd
-o smtpd_enforce_tls=no
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o smtpd_end_of_data_restrictions=$submission_end_of_data_restrictions

# /etc/postfix/main.cf

smtpd_sender_login_maps = hash:/var/spool/postfix/plesk/virtual
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated

Comments

5 comments

Siniša Burina November 02, 2018 08:28
Hi!

On Debian jessie, with postfix version 2.11.3-1+deb8u2, I'm getting the following notification in the log file, and the solution does not work:
```
warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
warning: restriction `reject_unauthenticated_sender_login_mismatch' ignored: no SASL support
```
Can you please advise?
0

Comment actions Permalink
Siniša Burina November 02, 2018 10:20
Solved!

Here's the information, in case someone else bumps into the same issue.

The above-mentioned restriction, if put into the main.cf file, actually gets enabled to both incoming SMTP connections and submissions, which is not what we really want. So, instead of configuring it in main.cf, put it in master.cf, submission config:
```
submission inet n - - - - smtpd
 -o smtpd_enforce_tls=no
 -o smtpd_tls_security_level=may
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
 -o smtpd_recipient_restrictions=$submission_recipient_restrictions
 -o smtpd_end_of_data_restrictions=$submission_end_of_data_restrictions
```
Et voila! :)
0

Comment actions Permalink
Alexandr Redikultsev November 03, 2018 05:28

Hi @Siniša Burina!

Thanks for sharing!

0

Comment actions Permalink
Siniša Burina November 17, 2018 20:23

Hey! What happened to my previous post? Was it dangerous in some way so you decided to remove it?

0

Comment actions Permalink
Linus December 08, 2020 11:50 (Edited December 08, 2020 12:00)
If incoming connections on port 25 are blocked there is an easier solution, which doesn't disrupt mail functionality, such as Plesk notifications, Postfix sendmail wrapper, or other features.

The solution is, just to block SASL authenticated messages instead of all messages.
```
# /etc/postfix/main.cf

smtpd_sender_login_maps = hash:/var/spool/postfix/plesk/virtual
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated
```
Make sure to block incoming TCP connections on Port 25. Unauthenticated mails will not be checked for Sender / FROM mismatch.

New SMTP behaviour:
- SMTP (25): X Sender Login Mismatch won't be rejected
- SMTP (SSL) (465): ✓ Sender Login Mismatch will be rejected
- SMTP (STARTTLS) (587): ✓ Sender Login Mismatch will be rejected
Allowed senders for SMTPS (465) and SMTP STARTTLS (587):
- Primary Inbox Address (demo@domain.com)
- All defined Alias Addresses (alias1@domain.com, alias2@domain.com)
0

Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Articles in this section

Applicable to:

Question

Answer

Related articles