diff options
| author | Malfurious <m@lfurio.us> | 2024-06-12 10:45:13 -0400 |
|---|---|---|
| committer | Malfurious <m@lfurio.us> | 2024-06-14 22:46:33 -0400 |
| commit | 2ee344e9c7ab8182efde6a18e50d4b4e7d148e71 (patch) | |
| tree | de81a90c3c847e2803c35b84fcd245e78552d564 | |
| parent | dc7f1bb8f52569b158f0c24c02070fcc459e580d (diff) | |
| download | mailnode-2ee344e9c7ab8182efde6a18e50d4b4e7d148e71.tar.gz mailnode-2ee344e9c7ab8182efde6a18e50d4b4e7d148e71.zip | |
postfix: Deny submission sender/login mismatch
Prevent outgoing spoofed emails by requiring the MAIL FROM header to
match the SASL login name.
Specifically, the SASL user must "own" the address.
`smtpd_sender_login_maps` defines a lookup table to determine ownership.
We create a placeholder table that states each user simply owns their
own email address (aka: the value of their username).
Signed-off-by: Malfurious <m@lfurio.us>
| -rwxr-xr-x | postfix/entrypoint.sh | 10 | ||||
| -rw-r--r-- | postfix/main.cf | 1 | ||||
| -rw-r--r-- | postfix/master.cf | 2 |
3 files changed, 10 insertions, 3 deletions
diff --git a/postfix/entrypoint.sh b/postfix/entrypoint.sh index 18805eb..46c06ab 100755 --- a/postfix/entrypoint.sh +++ b/postfix/entrypoint.sh @@ -1,11 +1,17 @@ #!/bin/sh -# Generate virtual mailbox mappings from user password file -# "user@domain domain/user/" +# Generate virtual mappings from user password file +# Incoming mail: "user@domain domain/user/" >vmailbox +# (The trailing slash indicates the directory is a maildir.) sed 's/:.*$//g' </etc/userconfig/passwd \ | awk -F '@' '{printf "%s %s/%s/\n", $0, $2, $1}' >/etc/postfix/vmailbox +# Outgoing mail: "user@domain user@domain" >vaddress +sed 's/:.*$//g' </etc/userconfig/passwd \ + | awk '{printf "%s %s\n", $0, $0}' >/etc/postfix/vaddress + # Generate Berkeley DB files +postmap /etc/postfix/vaddress postmap /etc/postfix/vmailbox postmap /etc/userconfig/aliases diff --git a/postfix/main.cf b/postfix/main.cf index 2397399..7ded588 100644 --- a/postfix/main.cf +++ b/postfix/main.cf @@ -35,6 +35,7 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # System parameters smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +smtpd_sender_login_maps = hash:/etc/postfix/vaddress myhostname = ENV_HOSTNAME mydestination = $myhostname localhost mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 diff --git a/postfix/master.cf b/postfix/master.cf index 45df2bb..935dbec 100644 --- a/postfix/master.cf +++ b/postfix/master.cf @@ -22,7 +22,7 @@ submissions inet n - n - - smtpd -o smtpd_sasl_path=private/auth -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_sasl_authenticated,reject -# -o smtpd_sender_restrictions= + -o smtpd_sender_restrictions=reject_sender_login_mismatch -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o cleanup_service_name=cleanupips -o milter_macro_daemon_name=ORIGINATING |