Re: canonical based on login name
On 2018-01-20 16:08, Joris (ideeel) wrote: > hi list > > I run a webservice (and a mail service). All websites run under the > same UID of apa...@webserver.domain.com. I know, not ideal, but i > cannot change that bit. Problem is that if one site gets hacked, user > apache starts sending spam with no way to figure out which website is > misbehaving. Thus we are going to enforce websites to use SASL-auth. > > Now the remaining problem is that ,even with SMTP-auth, the MAIL FROM > username sometimes is still apache. I know gmail rewrites the envelope > sender and the header sender based on the login name, but i have not > been able to find how to do this in postfix (canonical_classes does > not seem to help me here). I cannot really reject the mail using > reject_authenticated_sender_login_mismatch because the mails will be > send back to the apache user with again no knowledge of the true > sender. Maybe I am not getting something but if you force different SASL-auth for each website you will have the offending username in the logs. > > hope you can give me some pointers or documentation how I can solve this :) > > best > Joris I had exactly the same problem when one of websites I was hosting got hacked and also wanted to prevent from situation when my user is hacked (malware) and starts sending emails with matching envelope sender but forging From header. I ended up using vrfydmn like that: /usr/bin/python /usr/local/sbin/vrfydmn -F -u vrfydmn -g vrfydmn -s inet:10072@127.0.0.1 -p /var/run/vrfydmn/vrfydmn.pid I reject emails from users that try to send them with envelope sender that they don't own so in my case Postfix makes sure that envelope-sender is OK (reject_sender_login_mismatch), and then vrfydmn makes sure that From: matches. In your case you can (apparently) force PHP to use fixed envelope-from address. Than you can use this milter to fix From: address. Have a look, it might be what you need. https://github.com/croessner/vrfydmn Karol -- Karol Augustin ka...@augustin.pl http://karolaugustin.pl/ +353 85 775 5312vrfydmn
Re: canonical based on login name
Joris (ideeel): > Now the remaining problem is that ,even with SMTP-auth, the MAIL FROM > username sometimes is still apache. I know gmail rewrites the envelope > sender and the header sender based on the login name, but i have not > been able to find how to do this in postfix (canonical_classes does not You can use the reject_sender_login_mismatch feature to enforce that each SASL login uses its own unique emvelope sender address. During the transition, use: warn_if_reject reject_sender_login_mismatch to find out which apps aren;t using the proper sender address. Otherwise, as Victor says, this requires external code (content filter or milter). Wietse
Re: canonical based on login name
> On Jan 20, 2018, at 11:08 AM, Joris (ideeel)wrote: > > I know gmail rewrites the envelope sender and the header sender based on > the login name, but I have not been able to find how to do this in Postfix To make it clearer, we should first understand what "rewriting" means in Postfix. - Rewriting in Postfix takes an input value (say the sender address) and produces a new value as a function of (via a lookup table) of the input value. The *only* input into the construction of the new value is the original value. Thus you can transform a sender address to another sender address, but this cannot take into account any other message properties. Since "canonical_maps" is an address rewriting mechanism, it cannot do what you're asking for. The transformation you're asking for presently requires a content filter or milter. -- Viktor.
canonical based on login name
hi list I run a webservice (and a mail service). All websites run under the same UID of apa...@webserver.domain.com. I know, not ideal, but i cannot change that bit. Problem is that if one site gets hacked, user apache starts sending spam with no way to figure out which website is misbehaving. Thus we are going to enforce websites to use SASL-auth. Now the remaining problem is that ,even with SMTP-auth, the MAIL FROM username sometimes is still apache. I know gmail rewrites the envelope sender and the header sender based on the login name, but i have not been able to find how to do this in postfix (canonical_classes does not seem to help me here). I cannot really reject the mail using reject_authenticated_sender_login_mismatch because the mails will be send back to the apache user with again no knowledge of the true sender. hope you can give me some pointers or documentation how I can solve this :) best Joris