How to restrict mismatch of "From" header for emails and prevent outbound mail spoofing on Plesk for Linux server with Postfix?

Question

How to restrict mismatch of the "From" header for emails and prevent outbound mail spoofing on Plesk for Linux server with Postfix?

Answer

Warning: This solution may disrupt mail functionality, such as Plesk notifications, Postfix sendmail wrapper, or other features. In general, disruptions are caused either by using external SMTP with this configuration or features reliant on sending unauthenticated emails or using mismatched from headers. For such cases, it is preferable to use SPF hard fail.

Note: Postfix 2.1 or newer is required for the "reject_sender_login_mismatch" restriction.

1. Connect to the server using SSH.

2. Backup the Postfix configuration file:

   # cp -a /etc/postfix/main.cf{,.bak}

3. Change value of the parameter "smtpd_sender_restrictions" in the file /etc/postfix/main.cf so Postfix prevents sending messages if a logged-in mail user differs from the one in the "From" header:

   # postconf smtpd_sender_restrictions="reject_sender_login_mismatch, `postconf -h smtpd_sender_restrictions`"

4. Execute the command below to make authentication possible within the Postfix server only for  mail accounts from the /var/spool/postfix/plesk/virtual.db file 

   # postconf smtpd_sender_login_maps=hash:/var/spool/postfix/plesk/virtual

5. Restart Postfix:

   # systemctl restart postfix

   Note: The setting will be applied server-wide.

This configuration can be tested with the following commands:

# touch message
# curl -k --url "smtp://127.0.0.1" --mail-from "spoofing@example.com" --mail-rcpt "jdoe2@example.com" --upload-file ./message --user 'jdoe2@example.com:password' --ssl
<...>
curl: (55) RCPT failed: 553

where "spoofing@example.com" - forged "From" field.
"jdoe2@example.com" - any recipient.
"jdoe2@example.com" - mailbox from the server.