Block sender address spoofing with SMPT AUTH

In order to evade mail-relaying, unathorized users try to spoof the e-mail sender address in mail messages. One trick they use consists in making Postfix think the sender belongs to a mail domain in $mydestination (that the message comes from a domain belonging to the list of domains that Postfix considers itself the final destination for).

For example:

mydomain =
myorigin = $mydomain
mydestination =

The unauthorized user could try to pose as in order to send messages to other users in the mail domain, or to other users in other mail domains.

One way to stop this from happening is by using Authenticated SMTP (so Postfix can track who the sender is) and by establishing a relationship between (authenticated) users and message addresses. For example, we can link user user1 to message addresses and So, when user1 authenticates against Postfix, he is allowed to send messages as either or, but no other address from the mail domain.

This can be achieved by listing the option reject_sender_login_mismatch inside smtpd_recipient_restrictions. For example:

smtpd_recipient_restrictions =

reject_sender_login_mismatch works in cooperation with smtpd_sender_login_maps, which defines the linking between (authenticated) users and mail addresses. This mapping is defined using a table, which can be stored in a plain-text file and then converted to a hash table, a mysql table, etc. For example:

smtpd_sender_login_maps =

The table is stored as a hash map, whose plain-text representation is stored in file /etc/postfix/smtpd_sender_login_maps. This plain-text file is then converted to a hash map by using the postmap command:

# cd /etc/postfix
# postmap smtpd_sender_login_maps

Thus, smtpd_sender_login_maps specifies ownership of MAIL FROM addresses, as used by the reject_sender_login_mismatch sender address restriction.

Each line of the table specifies a sender address and the (authenticated) user login name that owns that address. The table has the following syntax and search order:

  1. user@domain owner

    This form has the highest precedence. A user who successfully authenticates against Postfix as owner can send messages as user@domain.

  2. user owner

    This matches user@site when site is equal to $myorigin, when site is listed in $mydestination, or when site is listed in $inet_interfaces.

  3. @domain owner

    This matches every address in the specified domain, and has the lowest precedence.

For example, a file /etc/postfix/smtpd_sender_login_maps with these entries: user1 user1 user3 user4

Has the following meaning:

  • user1 owns both and mail addresses.
  • user3 owns
  • user4 owns any other address from the mail domain, except, and

Thus, user1 can send messages as or, but he is not allowed to pose as sender or any other address.

NOTE: More information about Postfix UCE (Unsolicited Commercial E-mails) can be found here.

25 thoughts on “Block sender address spoofing with SMPT AUTH

  1. Pingback: Sergio Hernando » Artículos interesantes

  2. Plendid! This will be part of my next postfix installment. I receive lots of spam that spoof my own email addresses. This will stop that quite effectively. Thanks for this great article.

  3. Pingback: How to enforce sender address to be “” in Postfix? - Admins Goodies

  4. Pingback: Kaplan 2010 USMLE step 2 ck Videos Infectious Disease

  5. Pingback: Sinequanone online store

  6. Some truly great blog posts on this site, thank you for contribution. “An alcoholic is someone you don’t like who drinks as much as you do.” by Dylan Thomas.

  7. Hey
    I have powermta nulled for sale.
    Good price. I provide full support , installation and mailing servers if needed.

    em. triggermailing @

  8. To work you have to put reject_sender_login_mismatch, before permit_sasl_authenticated, inside smtpd_recipient_restrictions parameter. If you put permit_sals_auth… before the mail will be accepted and it will not pas the reject_ restriction.

    Good job !

  9. Superb blog you have here but I was curious about if you knew of any forums that cover the same topics discussed here?
    I’d really like to be a part of community where I can get responses from
    other knowledgeable people that share the same interest.
    If you have any suggestions, please let me know. Kudos!

  10. Hi there! Quick question that’s completely off topic.
    Do you know how to make your site mobile friendly? My site looks weird when viewing from my iphone.
    I’m trying to find a theme or plugin that might be able to resolve this problem.
    If you have any recommendations, please share. Cheers!

  11. Thank you for this guide! It fixed my issue with receiving spam email in my inbox from my email address.

  12. Skype has launched its web-dependent customer beta on the entire world, following starting it
    largely inside the United states and U.K. previous this 30 days.
    Skype for Internet also now works with Linux and Chromebook for immediate text
    messaging conversation (no video and voice however, all those require a connect-in set up).

    The expansion of the beta adds assistance for
    an extended list of spoken languages to assist reinforce that worldwide functionality

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s