i'm running Postfix 2.11 and i would like to reject/prevent authenticated users from sending emails with forged sender/from address.
Right now i've implemented the following policy which works just fine: smtpd_sender_login_maps = proxy:mysql:/etc/postfix/ mysql_sender_login_maps.cf smtpd_sender_restrictions = ... reject_unlisted_sender, reject_authenticated_sender_login_mismatch, ... This generates the following output when an authenticated user tries to spoof its sending email address https://gist.github.com/sibok/efb72be811a51691913a. But don't know why when using AfterLogic Webmail to spoof/forge authenticated user's from/sender email address Postfix sends the email cause AfterLogic Webmail is only changing from address but using the correct login and sender address. Pretty strange, here is the output log https://gist.github.com/sibok/0a6334fa1e5bd3662fc9 In the last log, note the sender is p...@example.com and the recipient is p...@webeloping.es. The spoofed sender is foo...@foobar.com One can see the spoofed address only appears in the DKIM line, these are the headers of the email recieved at Google Apps https://gist.github.com/sibok/a4aa6f96723628efa24e But when sending through Roundcube, RainLoop, Mozilla Thunderbird, etc. Postfix correctly rjeects the spoofed sender email as can be seen in the first provided gist. Does anyone know how should/could i prevent it? Maybe a regexp header_check? It looks like AfterLogic Webmail only rewrites the from header while using the correct from address for authenticating against Postfix. Maybe reject_authenticated_sender_login_mismatch is failing? Thanks in advanced!
