Felipe Alfaro Solana

In order to evade mail-relaying, unathorized users try to spoof the e-mail sender address in mail messages. One trick they use consists in making Postfix think the sender belongs to a mail domain in $mydestination (that the message comes from a domain belonging to the list of domains that Postfix considers itself the final destination for).

For example:

mydomain = example.com
myorigin = $mydomain
mydestination =
    $mydomain,
    mail.$mydomain,
    www.$mydomain,
    ftp.$mydomain,
    localhost

The unauthorized user could try to pose as user@example.com in order to send messages to other users in the example.com mail domain, or to other users in other mail domains.

One way to stop this from happening is by using Authenticated SMTP (so Postfix can track who the sender is) and by establishing a relationship between (authenticated) users and message addresses. For example, we can link user user1 to message addresses user1@example.com and user2@example.com. So, when user1 authenticates against Postfix, he is allowed to send messages as either user1@example.com or user2@example.com, but no other address from the example.com mail domain.

This can be achieved by listing the option reject_sender_login_mismatch inside smtpd_recipient_restrictions. For example:

smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_invalid_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_address,
    reject_non_fqdn_hostname,
    reject_unauth_destination,
    reject_sender_login_mismatch

reject_sender_login_mismatch works in cooperation with smtpd_sender_login_maps, which defines the linking between (authenticated) users and mail addresses. This mapping is defined using a table, which can be stored in a plain-text file and then converted to a hash table, a mysql table, etc. For example:

smtpd_sender_login_maps =
    hash:/etc/postfix/smtpd_sender_login_maps

The table is stored as a hash map, whose plain-text representation is stored in file /etc/postfix/smtpd_sender_login_maps. This plain-text file is then converted to a hash map by using the postmap command:

# cd /etc/postfix
# postmap smtpd_sender_login_maps

Thus, smtpd_sender_login_maps specifies ownership of MAIL FROM addresses, as used by the reject_sender_login_mismatch sender address restriction.

Each line of the table specifies a sender address and the (authenticated) user login name that owns that address. The table has the following syntax and search order:

1. user@domain owner

   This form has the highest precedence. A user who successfully authenticates against Postfix as owner can send messages as user@domain.

2. user owner

   This matches user@site when site is equal to $myorigin, when site is listed in $mydestination, or when site is listed in $inet_interfaces.

3. @domain owner

   This matches every address in the specified domain, and has the lowest precedence.

For example, a file /etc/postfix/smtpd_sender_login_maps with these entries:

user1@example.com user1
user2@example.com user1
user3@example.com user3
@example.com user4

Has the following meaning:

• user1 owns both user1@example.com and user2@example.com mail addresses.
• user3 owns user3@example.com
• user4 owns any other address from the @example.com mail domain, except user1@example.com, user2@example.com and user3@example.com.

Thus, user1 can send messages as user1@example.com or user2@example.com, but he is not allowed to pose as sender user3@example.com or any other address.

NOTE: More information about Postfix UCE (Unsolicited Commercial E-mails) can be found here.