postfix check the From address field matches the authenticated username or other valid aliases in LDAP

Question

We have an internet facing MX server whereby all users authenticate their outgoing connection to submit emails via port 587. This MX server routes incoming mail for our domain to an internal postfix smtp server which then delivers mail to local imap servers.

The internal postfix smtp server users LDAP alias_maps = ldap:/etc/postfix/ldap-aliases.cf, to lookup which imap server a users mailbox resides on.

There is a postfix option... reject_sender_login_mismatch that can be mapped... smtpd_sender_login_maps = ldap:/etc/postfix/smtpd_sender_login.cf

However - I get the following error

Jul 4 11:23:26 smtp-1.domain1.com postfix/smtpd[31530]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support

No users authenticate to the internal postfix smtp server - all it does is route emails from the MX server. I believe the reason I see the warning "no SASL support" is because postfix doesn't handle the authentication as it's taken care of by the MX server.

postconf -n

alias_database = hash:/etc/aliases
alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,  mx3.$mydomain, mx1.$mydomain, mx2.$mydomain
mydomain = domain1.com
myhostname = smtp-1.domain1.com
mynetworks = xxx.xxx.192.0/21, xxx.62.52.0/22, 10.0.0.0/8, xxx.16.0.0/12, xxx.168.0.0/16
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
unknown_local_recipient_reject_code = 550

---

However, with a different config "smtpd_sender_restrictions = reject_unverified_sender"

If the "envelope From field" contains an invalid forged address the following is logged - which is great to stop unknown email address being forged - but doesn't help if it's forged with a known email address.

NOQUEUE: reject: RCPT from mx.domain1.com[xxx.xxx.192.130]: 450 4.1.7 : Sender address rejected: unverified address: unknown user: "hejem"; from= to= proto=ESMTP helo=

-bash-4.1$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,        mx3.$mydomain, mx1.$mydomain, mx2.$mydomain
mydomain = domain1.com
myhostname = smtp-1.domain1.com
mynetworks = xxx.xxx.xxx.0/21, xxx.xxx.xxx.0/22, xxx.0.0.0/xxx, xxx.xxx.0.0/12, xxx.xxx.0.0/16
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_sender_restrictions = reject_unverified_sender"

What I want to achieve is my local internal postfix to check the "envelope From field" to ensure it's not been spoofed by knowing the sending user's username and looking up it's assigned "From" aliases in LDAP if it doesn't match i.e. they're spoofing then reject the mail.

Any advice how to implement this check in postfix?

Thanks

Answer 1

Firstly, it is not considered a good practice to activate reject_unverified_sender in postfix services. If you want to prevent mails being sent from non-existing addresses in your domain, you should prefer reject_unlisted_sender.

You can not be sure of spoofing of existing mail addresses without activating authentication (SASL) mechanism on postfix service. Thus, to prevent spoofing of existing addresses:

• Make sure that smtpd_sender_login_maps is properly configured.
• Activate SASL authentication on postfix
• Configure reject_authenticated_sender_login_mismatch or reject_sender_login_mismatch depending on your preference.

Further Reading (from postfix SASL documentation)

Envelope sender address authorization

By default an SMTP client may specify any envelope sender address in the MAIL FROM command. That is because the Postfix SMTP server only knows the remote SMTP client hostname and IP address, but not the user who controls the remote SMTP client.

This changes the moment an SMTP client uses SASL authentication. Now, the Postfix SMTP server knows who the sender is. Given a table of envelope sender addresses and SASL login names, the Postfix SMTP server can decide if the SASL authenticated client is allowed to use a particular envelope sender address:

/etc/postfix/main.cf: smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders

smtpd_recipient_restrictions =
    ...
    reject_sender_login_mismatch
    permit_sasl_authenticated