From 2ee344e9c7ab8182efde6a18e50d4b4e7d148e71 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Wed, 12 Jun 2024 10:45:13 -0400
Subject: postfix: Deny submission sender/login mismatch

Prevent outgoing spoofed emails by requiring the MAIL FROM header to
match the SASL login name.

Specifically, the SASL user must "own" the address.
`smtpd_sender_login_maps` defines a lookup table to determine ownership.
We create a placeholder table that states each user simply owns their
own email address (aka: the value of their username).

Signed-off-by: Malfurious <m@lfurio.us>
---
 postfix/entrypoint.sh | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'postfix/entrypoint.sh')

diff --git a/postfix/entrypoint.sh b/postfix/entrypoint.sh
index 18805eb..46c06ab 100755
--- a/postfix/entrypoint.sh
+++ b/postfix/entrypoint.sh
@@ -1,11 +1,17 @@
 #!/bin/sh
 
-# Generate virtual mailbox mappings from user password file
-# "user@domain domain/user/"
+# Generate virtual mappings from user password file
+# Incoming mail: "user@domain domain/user/" >vmailbox
+# (The trailing slash indicates the directory is a maildir.)
 sed 's/:.*$//g' </etc/userconfig/passwd \
     | awk -F '@' '{printf "%s %s/%s/\n", $0, $2, $1}' >/etc/postfix/vmailbox
 
+# Outgoing mail: "user@domain user@domain" >vaddress
+sed 's/:.*$//g' </etc/userconfig/passwd \
+    | awk '{printf "%s %s\n", $0, $0}' >/etc/postfix/vaddress
+
 # Generate Berkeley DB files
+postmap /etc/postfix/vaddress
 postmap /etc/postfix/vmailbox
 postmap /etc/userconfig/aliases
 
-- 
cgit v1.2.3