0

I have Postfix SMTP configured to require authentication for relaying mail to outside world.

When an outside SMTP server want to deliver mail to my domain (destination: anything@mydomain.com), authentication is not necessary - this is the way things worked for me - to be able to receive email from outside world and still avoid open relay. But I would be delightful if I could configure Postfix to require authentication for clients which presents themselves as local users, regardless of their destination mail address, preferably without header checks as they have tremendous performance impact.

Why would I need this? Because an imposter could deliver mail to my local users and represent himself as another local user. Eve just sent an email from alice@mydomain.com to bob@mydomain.com, unauthenticated, using this SMTP server. And Alice and Bob are in fight.

I need auth required for elho anything@mydomain.com

vzr
  • 1
  • 2

1 Answers1

1

there are a number of restrictions you can add via smtpd_sender_restrictions

reject_sender_login_mismatch

Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.

it's possible to be more permissive but in any case you have to define smtpd_sender_login_maps in order to utilize this restriction.

stefan0xC
  • 226
  • 1
  • 5
  • How to define smtpd_sender_login_maps in such way that it block all snders from **@mydomain.tld**?Something like !@mydomain.tld won't work – vzr Aug 24 '17 at 13:13
  • i think you misunderstand the point of this map. it is to specify which users can send as which adress, so postfix can e.g. check if there is a mismatch and reject the mail for not logged in users or also authenticated users who are not permitted to send as another user. – stefan0xC Aug 24 '17 at 13:51
  • Yes I did, but I wanted to tell that I need opposite of what smtpd_sender_login_maps usually do. Nvm, header checks will do. I.e I wanted "which domain to block" - not "which user to allow" – vzr Aug 24 '17 at 14:15
  • @vzr with the map you can define what email addresses an account is allowed to use. You can use any map type, including regex. – sebix Aug 26 '17 at 20:44