Loading ...
Sorry, an error occurred while loading the content.

Sender address spoofing with smtp auth problem

Expand Messages
  • Bu Xiaobing
    Hi there, I want to let the sender address equal to the log-in name, the following are some mainly settings in my main.cf, smtpd_tls_security_level = may
    Message 1 of 3 , May 23, 2013
    • 0 Attachment
      Hi there,

      I want to let the sender address equal to the log-in name, the following are some mainly settings in my main.cf,
      smtpd_tls_security_level = may
      smtpd_tls_cert_file = /etc/pki/dovecot/certs/mail.example.com.crt
      smtpd_tls_key_file = /etc/pki/dovecot/private/mail.example.com.key
      smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, reject_sender_login_mismatch
      smtpd_sasl_type = dovecot
      smtpd_sasl_path = /var/spool/postfix/private/auth
      smtpd_sasl_auth_enable = yes
      mailbox_size_limit = 1024000000
      message_size_limit = 30720000
      smtpd_sasl_security_options = noanonymous
      broken_sasl_auth_clients = yes
      smtpd_sender_login_maps = hash:/etc/postfix/test

      The login_maps link to /etc/postfix/test which contains

      test@... test
      buxiaobing@... buxiaobing

      Finally I do
      postmap test and test.db

      Then I begin configure my MUA client to login my postfix mail server, use the name "buxiaoing" and the right password, but I set the "EMAIL ADDRESS"/sender to test@...
      and sent a test mail to my gmail.com mail account, and it still can be received.

      Anyone who can give me some advise?

      Thanks,
      Bu Xiaobing
    • Viktor Dukhovni
      ... Order matters, the reject_sender_login_mismatch restriction will only apply to unauthenticated users, since no further restrictions are processed after
      Message 2 of 3 , May 23, 2013
      • 0 Attachment
        On Thu, May 23, 2013 at 07:30:18PM +0800, Bu Xiaobing wrote:

        > I want to let the sender address equal to the log-in name, the
        > following are some mainly settings in my main.cf,
        >
        > smtpd_tls_security_level = may
        > smtpd_recipient_restrictions =
        > permit_sasl_authenticated,
        > reject_unauth_destination,
        > reject_sender_login_mismatch
        > smtpd_sender_login_maps = hash:/etc/postfix/test

        Order matters, the "reject_sender_login_mismatch" restriction will only
        apply to unauthenticated users, since no further restrictions are processed
        after "permit_sasl_authenticated" returns "OK". Try:

        smtpd_recipient_restrictions =
        reject_sender_login_mismatch,
        permit_sasl_authenticated,
        reject_unauth_destination

        --
        Viktor.
      • Bu Xiaobing
        ... It works, I try to put the rule reject_sender_login_mismatch at the front of others, and it works! The rules works such as they are in iptables. Thanks!
        Message 3 of 3 , May 23, 2013
        • 0 Attachment
          On 2013-5-23 21:47, Viktor Dukhovni wrote:
          > On Thu, May 23, 2013 at 07:30:18PM +0800, Bu Xiaobing wrote:
          >
          >> I want to let the sender address equal to the log-in name, the
          >> following are some mainly settings in my main.cf,
          >>
          >> smtpd_tls_security_level = may
          >> smtpd_recipient_restrictions =
          >> permit_sasl_authenticated,
          >> reject_unauth_destination,
          >> reject_sender_login_mismatch
          >> smtpd_sender_login_maps = hash:/etc/postfix/test
          >
          > Order matters, the "reject_sender_login_mismatch" restriction will only
          > apply to unauthenticated users, since no further restrictions are processed
          > after "permit_sasl_authenticated" returns "OK". Try:
          >
          > smtpd_recipient_restrictions =
          > reject_sender_login_mismatch,
          > permit_sasl_authenticated,
          > reject_unauth_destination
          >

          It works, I try to put the rule reject_sender_login_mismatch at the front of others, and it works!

          The rules works such as they are in iptables.

          Thanks!
        Your message has been successfully submitted and would be delivered to recipients shortly.