From 2ee344e9c7ab8182efde6a18e50d4b4e7d148e71 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Wed, 12 Jun 2024 10:45:13 -0400
Subject: postfix: Deny submission sender/login mismatch

Prevent outgoing spoofed emails by requiring the MAIL FROM header to
match the SASL login name.

Specifically, the SASL user must "own" the address.
`smtpd_sender_login_maps` defines a lookup table to determine ownership.
We create a placeholder table that states each user simply owns their
own email address (aka: the value of their username).

Signed-off-by: Malfurious <m@lfurio.us>
---
 postfix/main.cf | 1 +
 1 file changed, 1 insertion(+)

(limited to 'postfix/main.cf')

diff --git a/postfix/main.cf b/postfix/main.cf
index 2397399..7ded588 100644
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -35,6 +35,7 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
 # System parameters
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+smtpd_sender_login_maps = hash:/etc/postfix/vaddress
 myhostname = ENV_HOSTNAME
 mydestination = $myhostname localhost
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-- 
cgit v1.2.3