postfix - allow sending email with related alias

Question

I have installed postfix 2.11.3 + +sasl + postfixadmin + dovecot + roundcube on debian 8. All is working fine but today every users can send email with another email address. I would like to add a restriction to allow the users to send email only with their mailbox or the alias related to their mailbox.

Examples :
1) Mailboxes
user1@example.com
user2@exemple.com

2) Alias
alias1@example.com goto user1@example.com
alias2@example.com goto user2@example.com

I would like that user1@example.com, logged with user1@example.com, can send email with user1@example.com and alias1@example.com only.
user1 should not be able to use user2, alias2 or whatever.

I'm looking for a solution using a mysql_table lookup as I manage mailbox and alias with postfixadmin and mysql. Something like this :

SELECT address FROM alias WHERE address = '%s' AND goto LIKE '%<login>%'

From the man page, only there parameters are available :

          %s     This  is  replaced by the input key.  SQL quoting is used
                 to make sure that the input key does not  add  unexpected
                 metacharacters.

          %u     When the input key is an address of the form user@domain,
                 %u is replaced by  the  SQL  quoted  local  part  of  the
                 address.   Otherwise, %u is replaced by the entire search
                 string.  If the localpart is empty,  the  query  is  sup-
                 pressed and returns no results.

          %d     When the input key is an address of the form user@domain,
                 %d is replaced by the  SQL  quoted  domain  part  of  the
                 address.   Otherwise, the query is suppressed and returns
                 no results.

          %[SUD] The upper-case equivalents of the above expansions behave
                 in  the  query  parameter identically to their lower-case
                 counter-parts.  With  the  result_format  parameter  (see
                 below),  they expand the input key rather than the result
                 value.

          %[1-9] The patterns %1, %2, ... %9 are replaced  by  the  corre-
                 sponding  most  significant  component of the input key's
                 domain. If the input key is  user@mail.example.com,  then
                 %1 is com, %2 is example and %3 is mail. If the input key
                 is unqualified or does not have enough domain  components
                 to  satisfy all the specified patterns, the query is sup-
                 pressed and returns no results.

login is not available.

I know there is a solution to do the restriction on roundcube but my users can access their email directly without roundcube.

Thanks in advance for your help.

UPDATE

I tried this : main.cf

smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual-sender-maps.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch permit_sasl_authenticated

mysql-virtual-sender-maps.cf

user = mailuser
password = xxxxxxxxxxxxxxxx
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT address FROM alias WHERE goto LIKE '%%%s%%'

Logged in with user1, i'm able to send email with alias2.

The content of database is the default for postfixadmin :

CREATE TABLE IF NOT EXISTS `alias` (
`address` varchar(255) NOT NULL,
`goto` text NOT NULL,
`domain` varchar(255) NOT NULL,
`created` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
`modified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
`active` tinyint(1) NOT NULL DEFAULT '1'
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COMMENT='Postfix Admin - Virtual   Aliases';

CREATE TABLE IF NOT EXISTS `mailbox` (
`username` varchar(255) NOT NULL,
`password` varchar(255) NOT NULL,
`name` varchar(255) CHARACTER SET utf8 NOT NULL,
`maildir` varchar(255) NOT NULL,
`quota` bigint(20) NOT NULL DEFAULT '0',
`local_part` varchar(255) NOT NULL,
`domain` varchar(255) NOT NULL,
`created` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
`modified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
`active` tinyint(1) NOT NULL DEFAULT '1'
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COMMENT='Postfix Admin - Virtual Mailboxes';

score 3 · Answer 1 · answered Sep 19 '17 at 02:48

Just for reference, I had the exact same problem and solved it withing postfix. After that, my user1@example.com authenticates and than can send email either from alias1@example.com or user1@example.com.

In master.cf I have a configuration to enable my SSL sasl authenticated users as follows:

smtps      inet  n       -       y       -       -       smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
    -o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
    -o smtpd_sender_login_maps=mysql:/etc/postfix/mysql-smtpd-sender-login-maps.cf,mysql:/etc/postfix/mysql-virtual-sender-maps.cf

And my mysql map files:

mysql-virtual-sender-maps.cf:

user = mailuser
password = xxxxxxxxxxxxxxxx
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT goto FROM alias WHERE address='%s'

mysql-smtpd-sender-login-maps.cf

user = mailuser
password = xxxxxxxxxxxxxxxx
hosts = 127.0.0.1
dbname = postfixadmin
query = select username from mailbox where username='%s'

Note that I had to "translate" that table names and fields without testing. Don't just copy and paste this solution, but try to use it as as start point.

The trick is that mysql-smtpd-sender-login-maps.cf allows the user to send as his regular login and mysql-virtual-sender-maps.cf also let it send as his alias.

My alias table is set up so that I have kind of a "group". That is, I can have "user1@example.com,user2@example.com" in goto column when address is alias3@example.com for example. That way, the email is delivered to more than one destination. I just used virtual_alias_maps = for that.

The solution stated above works allowing both user1@example.com and user2@example to send as alias3@example.com

Hope it helps someone. Good luck!

been trying to get aliases to be able to send for ages, modified my main.cf so smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf, proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf Users can now send email as their alias. — Peter, Oct 11 '18 at 13:24

score 2 · Accepted Answer · answered Aug 19 '16 at 20:45

2

smtpd_sender_restrictions should include reject_authenticated_sender_login_mismatch

You then would supply a mysql_table for smtpd_sender_login_maps.

answered Aug 19 '16 at 20:45

84104

12,905
6
45
76

Yes I tried. But what is the SQL query to use ? Here is my configuration in my update – hrvz Aug 19 '16 at 20:55
@hrvz That would depend on how your data is stored. Which is information you didn't provide. – 84104 Aug 19 '16 at 21:00
default postfixadmin. Added in update – hrvz Aug 19 '16 at 21:10

score 1 · Answer 3 · answered Aug 20 '16 at 11:39

I finally find a partial answer to my problem. In my config.inc.php for RoundCube, I've previously removed %u from smtp_user parameter and %p from smtp_password. Consequently, the connexion to postfix was unauthenticated. That's why the restriction did not worked.

The query which should work is :

query = SELECT goto FROM alias WHERE address = '%s'

Thanks for the help.

postfix - allow sending email with related alias

3 Answers3

Linked