Applicable to:
- Plesk for Linux
Question
How to restrict mismatch of the "From" header for emails and prevent outbound mail spoofing on Plesk for Linux server with Postfix?
Answer
Warning: This solution may disrupt mail functionality, such as Plesk notifications, Postfix sendmail wrapper, or other features.
Note: Postfix 2.1 or newer is required for the "reject_sender_login_mismatch" restriction.
-
Connect to the server using SSH.
- Backup the Postfix configuration file:
# cp -a /etc/postfix/main.cf{,.bak}
-
Change value of the parameter "smtpd_sender_restrictions" in the file
/etc/postfix/main.cf
so Postfix prevents sending messages if a logged-in mail user differs from the one in the "From" header:# postconf smtpd_sender_restrictions="reject_sender_login_mismatch, `postconf -h smtpd_sender_restrictions`"
-
Execute the command below to make authentication possible within the Postfix server only for mail accounts from the
/var/spool/postfix/plesk/virtual.db
file# postconf smtpd_sender_login_maps=hash:/var/spool/postfix/plesk/virtual
-
Restart Postfix:
# service postfix restart
Note: The setting will be applied server-wide.
This configuration can be tested with the following commands:
# touch message
# curl -k --url "smtp://127.0.0.1" --mail-from "spoofing@example.com" --mail-rcpt "jdoe2@example.com" --upload-file ./message --user 'jdoe2@example.com:password' --ssl
<...>
curl: (55) RCPT failed: 553
where "spoofing@example.com" - forged "From" field.
"jdoe2@example.com" - any recipient.
"jdoe2@example.com" - mailbox from the server.
Comments
1 comment
Please add an explanation about functionality that may or will be disrupted. I'd like to know what to expect if I implement this solution.
Please sign in to leave a comment.