From 2ee344e9c7ab8182efde6a18e50d4b4e7d148e71 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Wed, 12 Jun 2024 10:45:13 -0400
Subject: postfix: Deny submission sender/login mismatch

Prevent outgoing spoofed emails by requiring the MAIL FROM header to
match the SASL login name.

Specifically, the SASL user must "own" the address.
`smtpd_sender_login_maps` defines a lookup table to determine ownership.
We create a placeholder table that states each user simply owns their
own email address (aka: the value of their username).

Signed-off-by: Malfurious <m@lfurio.us>
---
 postfix/master.cf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'postfix/master.cf')

diff --git a/postfix/master.cf b/postfix/master.cf
index 45df2bb..935dbec 100644
--- a/postfix/master.cf
+++ b/postfix/master.cf
@@ -22,7 +22,7 @@ submissions inet n      -       n       -       -       smtpd
   -o smtpd_sasl_path=private/auth
   -o smtpd_reject_unlisted_recipient=no
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-#  -o smtpd_sender_restrictions=
+  -o smtpd_sender_restrictions=reject_sender_login_mismatch
   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
   -o cleanup_service_name=cleanupips
   -o milter_macro_daemon_name=ORIGINATING
-- 
cgit v1.2.3