Block sender address spoofing with SMPT AUTH

/ Felipe Alfaro Solana

In order to evade mail-relaying, unathorized users try to spoof the e-mail sender address in mail messages. One trick they use consists in making Postfix think the sender belongs to a mail domain in $mydestination (that the message comes from a domain belonging to the list of domains that Postfix considers itself the final destination for).

For example:

mydomain = example.com
myorigin = $mydomain
mydestination =
    $mydomain,
    mail.$mydomain,
    www.$mydomain,
    ftp.$mydomain,
    localhost

The unauthorized user could try to pose as user@example.com in order to send messages to other users in the example.com mail domain, or to other users in other mail domains.

One way to stop this from happening is by using Authenticated SMTP (so Postfix can track who the sender is) and by establishing a relationship between (authenticated) users and message addresses. For example, we can link user user1 to message addresses user1@example.com and user2@example.com. So, when user1 authenticates against Postfix, he is allowed to send messages as either user1@example.com or user2@example.com, but no other address from the example.com mail domain.

This can be achieved by listing the option reject_sender_login_mismatch inside smtpd_recipient_restrictions. For example:

smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_invalid_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_address,
    reject_non_fqdn_hostname,
    reject_unauth_destination,
    reject_sender_login_mismatch

reject_sender_login_mismatch works in cooperation with smtpd_sender_login_maps, which defines the linking between (authenticated) users and mail addresses. This mapping is defined using a table, which can be stored in a plain-text file and then converted to a hash table, a mysql table, etc. For example:

smtpd_sender_login_maps =
    hash:/etc/postfix/smtpd_sender_login_maps

The table is stored as a hash map, whose plain-text representation is stored in file /etc/postfix/smtpd_sender_login_maps. This plain-text file is then converted to a hash map by using the postmap command:

# cd /etc/postfix
# postmap smtpd_sender_login_maps

Thus, smtpd_sender_login_maps specifies ownership of MAIL FROM addresses, as used by the reject_sender_login_mismatch sender address restriction.

Each line of the table specifies a sender address and the (authenticated) user login name that owns that address. The table has the following syntax and search order:

  1. user@domain owner

    This form has the highest precedence. A user who successfully authenticates against Postfix as owner can send messages as user@domain.

  2. user owner

    This matches user@site when site is equal to $myorigin, when site is listed in $mydestination, or when site is listed in $inet_interfaces.

  3. @domain owner

    This matches every address in the specified domain, and has the lowest precedence.

For example, a file /etc/postfix/smtpd_sender_login_maps with these entries:

user1@example.com user1
user2@example.com user1
user3@example.com user3
@example.com user4

Has the following meaning:

  • user1 owns both user1@example.com and user2@example.com mail addresses.
  • user3 owns user3@example.com
  • user4 owns any other address from the @example.com mail domain, except user1@example.com, user2@example.com and user3@example.com.

Thus, user1 can send messages as user1@example.com or user2@example.com, but he is not allowed to pose as sender user3@example.com or any other address.

NOTE: More information about Postfix UCE (Unsolicited Commercial E-mails) can be found here.

25 thoughts on “Block sender address spoofing with SMPT AUTH

  1. Pingback: Sergio Hernando » Artículos interesantes

  2. Plendid! This will be part of my next postfix installment. I receive lots of spam that spoof my own email addresses. This will stop that quite effectively. Thanks for this great article.

  5. Pingback: How to enforce sender address to be “logged-in-user@example.org” in Postfix? - Admins Goodies

  7. Pingback: Kaplan 2010 USMLE step 2 ck Videos Infectious Disease

  8. Pingback: Sinequanone online store

  11. Some truly great blog posts on this site, thank you for contribution. “An alcoholic is someone you don’t like who drinks as much as you do.” by Dylan Thomas.

  12. Hey
    I have powermta nulled for sale.
    Good price. I provide full support , installation and mailing servers if needed.

    em. triggermailing @ gmail.com.

  13. To work you have to put reject_sender_login_mismatch, before permit_sasl_authenticated, inside smtpd_recipient_restrictions parameter. If you put permit_sals_auth… before the mail will be accepted and it will not pas the reject_ restriction.

    Good job !

  16. Superb blog you have here but I was curious about if you knew of any forums that cover the same topics discussed here?
    I’d really like to be a part of community where I can get responses from
    other knowledgeable people that share the same interest.
    If you have any suggestions, please let me know. Kudos!

  19. Hi there! Quick question that’s completely off topic.
    Do you know how to make your site mobile friendly? My site looks weird when viewing from my iphone.
    I’m trying to find a theme or plugin that might be able to resolve this problem.
    If you have any recommendations, please share. Cheers!

  24. Thank you for this guide! It fixed my issue with receiving spam email in my inbox from my email address.

  25. Skype has launched its web-dependent customer beta on the entire world, following starting it
    largely inside the United states and U.K. previous this 30 days.
    Skype for Internet also now works with Linux and Chromebook for immediate text
    messaging conversation (no video and voice however, all those require a connect-in set up).

    The expansion of the beta adds assistance for
    an extended list of spoken languages to assist reinforce that worldwide functionality

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s