[postfix] smtpd_reject_unlisted_sender has no effect

Discussion in 'Installation/Configuration' started by kepon, Mar 15, 2023.

Tags:
  1. kepon

    kepon New Member

    Good morning,

    Subject: postfix, message sending

    I would like to restrict the sending of e-mails. Currently, if you are authenticated with the server, you can send with any identity (From), example [email protected]... while of course, I don't host a gmail server...

    I am in a situation where the server has been running for a while and it is difficult for me to activate reject_sender_login_mismatch because some people have "exotic" email client configurations...

    So the compromise would have been to restrict at least on the domains known to the server. For that I read in the documentation that smtpd_reject_unlisted_sender could do the trick but passing this parameter to "yes" I have no effect, I can always send as [email protected] if I am authenticated.. .

    Did I miss something?

    Myconfig:
    • Debian 11
    • ISPconfig 3.2.9p1 (fresh upgrade)

    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    mydestination = srvmail.*******.net, localhost, localhost.localdomain
    relayhost = mailgw1.*****.net:25
    mynetworks = 127.0.0.0/8 [::1]/128
    inet_interfaces = all
    recipient_delimiter = +
    
    readme_directory = /usr/share/doc/postfix
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/etc/sympa/virtual.sympa
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf, hash:/etc/sympa/transport.sympa
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf, hash:/etc/sympa/transport.sympa, hash:/etc/sympa/sympa_transport, hash:/etc/sympa/virtual.sympa
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
    virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
    sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
    inet_protocols = all
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_restriction_classes = greylisting
    greylisting = check_policy_service inet:127.0.0.1:10023
    smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
    smtpd_use_tls = yes
    smtpd_tls_security_level = may
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf, hash:/etc/sympa/transport.sympa, hash:/etc/sympa/sympa_transport, hash:/etc/postfix/transport
    relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit
    smtpd_sender_restrictions = permit_mynetworks, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf,  permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender
    smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining, permit
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = lmtp:unix:private/dovecot-lmtp
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    smtp_tls_security_level = dane
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_exclude_ciphers = RC4, aNULL
    myhostname = srvmail.******.net
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    mailbox_size_limit = 0
    message_size_limit = 10485760
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous, noplaintext
    
    # Limitation du nombre de destintataire
    smtpd_client_recipient_rate_limit=300
    smtpd_etrn_restrictions = permit_mynetworks, reject
    smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
    smtpd_tls_mandatory_ciphers = medium
    tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
    tls_preempt_cipherlist = yes
    address_verify_negative_refresh_time = 60s
    enable_original_recipient = no
    smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
    smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    address_verify_sender_ttl = 15686s
    smtp_dns_support_level = dnssec
    # https://postfix.traduc.org/index.php/postconf.5.html#smtpd_reject_unlisted_sender
    smtpd_reject_unlisted_sender = yes
    #smtpd_reject_unlisted_sender = no
    sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf
    smtp_sender_dependent_authentication = yes
    smtp_sasl_tls_security_options = noanonymous
    authorized_flush_users =
    authorized_mailq_users = nagios, icinga
    bounce_template_file = /etc/postfix/bounce.cf.fr

    Code:
    root@srvmail:~# postmap -q [email protected] mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
    root@srvmail:~# postmap -q [email protected] mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
    [email protected]
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You can configure under System > server config > mail if an authenticated sender is restricted to his own address or not.
     
  3. kepon

    kepon New Member

    Yes, but it's too restrictive "login mismatch" (and would have too many negative consequences on the existing one...) I accept that [email protected], authenticating with [email protected] can send with michel@his. domain & [email protected] for example... (his.domain being hosted on the ISPConfig server) but not [email protected]...

    That's why I fell back on reject_sender_login_mismatch but it doesn't seem to work :/

    I am aware that it may be exotic and that I should have activated "login mismatch" from the start (by the way, it would be interesting to activate it by default, wouldn't it?)

    David
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Personally my advice would be to do a breaking change and have your clients update their settings... Otherwise you'll have to make a complicated and not so clean solution.
     

Share This Page