info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How to enforce 'From:' message header field to match the sasl authenticated username
596 views
Skip to first unread message
Hamy
Apr 2, 2016, 10:36:12 PM4/2/16
to
Hi
I am using smtpd_sender_login_maps on submission port to enforce the envelope 'mail from:' command, and its working as expected. the problem however is that the user can still use any arbitrary 'From:' header field that she wants and opendkim will happily sign it. I am looking for a way to enforce the from: header filed to match the sasl authenticated username. ideally this should happen before queuing so i can reject the message while smtp session is still in progress.
It is my understanding that header_checks can't be used for this as it's functionality is very limited.
What are my options? can anyone please help?
Thank you in advance
Best Regards,
Tobias
Apr 3, 2016, 6:11:28 AM4/3/16
to
A quick search uncovered four options for smtpd_sender_restrictions
which you should check.
BR
Tobias
- reject_authenticated_sender_login_mismatch
- Enforces the reject_sender_login_mismatch restriction for authenticated clients only. This feature is available in Postfix version 2.1 and later.
- reject_known_sender_login_mismatch
- Apply the reject_sender_login_mismatch restriction only to MAIL FROM addresses that are known in $smtpd_sender_login_maps. This feature is available in Postfix version 2.11 and later.
- reject_sender_login_mismatch
- Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.
- reject_unauthenticated_sender_login_mismatch
- Enforces the reject_sender_login_mismatch restriction for unauthenticated clients only. This feature is available in Postfix version 2.1 and later.
BR
Tobias
Hamy
Apr 3, 2016, 6:33:07 AM4/3/16
to
Hi, thank you for your response. But i don't think that any of those actually apply to my situation.
they're all restrictions applied to 'MAIL FROM:' envelope, and as I've said earlier, I've already taken care of that and it works fine. what I'm talking about is the 'From:' field of the message header (not the envelope). i want to enforce matching it against the 'MAIL FROM:' envelope. for example if the user is SASL authenticated as us...@example.com , she is allowed(and enforced) to use:
MAIL FROM:<us...@example.com>
Now i want to match that against the message header 'From:'. the user should be only allowed to use something like this in the header:
Any ideas?
Thanks in advace.
Tobias
Apr 4, 2016, 5:37:31 AM4/4/16
to
Ah yes, you're right.
I have yet to find any obvious way directly in Postfix to either force the From: header to be rewritten to MAIL FROM envelope, or to check this same header against the envelope or authenticated username.
I had some ideas of possibly using cleanup, trivial-rewrite, canonical, but I've yet to find a way to make it work. If there's some generic Milter around that can run simple scripts that could work to bounce. Or for rewrite, trigger a script after message has been queued to modify the From header (perhaps AlterMIME can be used for this?)
/Tobias
I have yet to find any obvious way directly in Postfix to either force the From: header to be rewritten to MAIL FROM envelope, or to check this same header against the envelope or authenticated username.
I had some ideas of possibly using cleanup, trivial-rewrite, canonical, but I've yet to find a way to make it work. If there's some generic Milter around that can run simple scripts that could work to bounce. Or for rewrite, trigger a script after message has been queued to modify the From header (perhaps AlterMIME can be used for this?)
/Tobias
maximilian...@gmail.com
Jun 28, 2017, 2:04:11 PM6/28/17
to
Hey,
I solved the problem by writing my own milter for that and published it under BSD on github:
https://github.com/magcks/milterfrom
I'm happy about every feedback and hope someone of you find it useful to use my code.
I solved the problem by writing my own milter for that and published it under BSD on github:
https://github.com/magcks/milterfrom
I'm happy about every feedback and hope someone of you find it useful to use my code.
jensen...@gmail.com
Jun 29, 2019, 1:30:49 PM6/29/19
to
ReplaceHeaders (data set)
Defines a set of header fields that should be affected by the text replacement rules defined by the ReplaceRules setting. By default, all header fields are included. @REPLACE_RULES_MANNOTICE@
and
ReplaceRules (string)
Specifies a file containing a list of text replacement rules that are applied to the message header fields to replace certain content expected to be changed as the message passes through local MTAs. This can be used to accommodate expected changes such as are made to From: fields by MTA "masquerade" features. Each entry in the file consists of a POSIX regular expression, followed by a tab (ASCII 9), followed by the text that should be used to replace the text matching the expression. The ’#’ character denotes the beginning of a comment and text from that point on in a single line is ignored. Blank lines are also skipped. @REPLACE_RULES_MANNOTICE@
0 new messages