[postfix] smtpd_reject_unlisted_sender has no effect

Discussion in 'Installation/Configuration' started by kepon, Mar 15, 2023.

Tags:
  1. kepon

    kepon New Member

    Good morning,

    Subject: postfix, message sending

    I would like to restrict the sending of e-mails. Currently, if you are authenticated with the server, you can send with any identity (From), example [email protected]... while of course, I don't host a gmail server...

    I am in a situation where the server has been running for a while and it is difficult for me to activate reject_sender_login_mismatch because some people have "exotic" email client configurations...

    So the compromise would have been to restrict at least on the domains known to the server. For that I read in the documentation that smtpd_reject_unlisted_sender could do the trick but passing this parameter to "yes" I have no effect, I can always send as [email protected] if I am authenticated.. .

    Did I miss something?

    Myconfig:
    • Debian 11
    • ISPconfig 3.2.9p1 (fresh upgrade)

    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = srvmail.*******.net, localhost, localhost.localdomain
relayhost = mailgw1.*****.net:25
mynetworks = 127.0.0.0/8 [::1]/128
inet_interfaces = all
recipient_delimiter = +

readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/etc/sympa/virtual.sympa
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf, hash:/etc/sympa/transport.sympa
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf, hash:/etc/sympa/transport.sympa, hash:/etc/sympa/sympa_transport, hash:/etc/sympa/virtual.sympa
virtual_mailbox_base = /var/vmail
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
inet_protocols = all
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf, hash:/etc/sympa/transport.sympa, hash:/etc/sympa/sympa_transport, hash:/etc/postfix/transport
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf,  permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender
smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining, permit
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = lmtp:unix:private/dovecot-lmtp
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtp_tls_security_level = dane
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
myhostname = srvmail.******.net
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
mailbox_size_limit = 0
message_size_limit = 10485760
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext

# Limitation du nombre de destintataire
smtpd_client_recipient_rate_limit=300
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
address_verify_negative_refresh_time = 60s
enable_original_recipient = no
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
address_verify_sender_ttl = 15686s
smtp_dns_support_level = dnssec
# https://postfix.traduc.org/index.php/postconf.5.html#smtpd_reject_unlisted_sender
smtpd_reject_unlisted_sender = yes
#smtpd_reject_unlisted_sender = no
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf
smtp_sender_dependent_authentication = yes
smtp_sasl_tls_security_options = noanonymous
authorized_flush_users =
authorized_mailq_users = nagios, icinga
bounce_template_file = /etc/postfix/bounce.cf.fr

    Code:
    root@srvmail:~# postmap -q [email protected] mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
root@srvmail:~# postmap -q [email protected] mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
[email protected]
     
    kepon, Mar 15, 2023
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You can configure under System > server config > mail if an authenticated sender is restricted to his own address or not.
     
    till, Mar 15, 2023
    #2
  3. kepon

    kepon New Member

    Yes, but it's too restrictive "login mismatch" (and would have too many negative consequences on the existing one...) I accept that [email protected], authenticating with [email protected] can send with michel@his. domain & [email protected] for example... (his.domain being hosted on the ISPConfig server) but not [email protected]...

    That's why I fell back on reject_sender_login_mismatch but it doesn't seem to work :/

    I am aware that it may be exotic and that I should have activated "login mismatch" from the start (by the way, it would be interesting to activate it by default, wouldn't it?)

    David
     
    kepon, Mar 15, 2023
    #3
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Personally my advice would be to do a breaking change and have your clients update their settings... Otherwise you'll have to make a complicated and not so clean solution.
     
    Th0m, Mar 16, 2023
    #4

Share This Page