Note: This article is recommended for experienced administrators only.
To prevent authenticated senders from setting the "From:" field to an address that doesn't match the email that they are authenticating as you can use the following:
1. Edit the file /etc/postfix/main.conf editing the smtpd_sender_restrictions option adding the reject_authenticated_sender_login_mismatch restriction just before the permit_sasl_authenticated entry:
Before (Plesk default):
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticatedAfter:
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated2. Run the command below to set the smtpd_sender_login_maps which is required:
postconf -e "smtpd_sender_login_maps = hash:/var/spool/postfix/plesk/virtual"3. Reload Postfix
postfix reloadTo Test
Create a test message:
echo "this is a test" > messageRun the command where test@example.com is an email on the server and password is the users password:
curl -k --url "smtp://127.0.0.1" --mail-from "spoofing@example.com" --mail-rcpt "test@example.com" --upload-file ./message --user 'test@example.com:password' --sslYou should get the error:
curl: (55) RCPT failed: 553Under Warden -> Logs -> Reject log you should see the following message:
<spoofing@example.com>: Sender address rejected: not owned by user test@example.com