Added reject_authenticated_sender_login_mismatch (#872)

* added reject_authenticated_sender_login_mismatch handling including tests * removed obsolete reject_sender_login_mismatch * introduced SPOOF_PROTECTION env variable, tests, documentation and missing documentation for TLS_LEVEL * added missing email template
2025-08-03 17:44:49 +02:00 · 2018-03-07 19:33:43 +01:00 · 2018-03-07 19:33:43 +01:00 · a73692cc9f
commit a73692cc9f
parent 4036588c65
13 changed files with 131 additions and 17 deletions
--- a/target/postfix/main.cf
+++ b/target/postfix/main.cf
@ -46,7 +46,7 @@ smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permi
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
 smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
 smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
-smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch
+smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
 disable_vrfy_command = yes

 # Postscreen settings to drop zombies/open relays/spam early
--- a/target/postfix/sender_login_maps.pcre
+++ b/target/postfix/sender_login_maps.pcre
@ -0,0 +1 @@
+/^(.*)$/   ${1}
--- a/target/start-mailserver.sh
+++ b/target/start-mailserver.sh
@ -25,6 +25,7 @@ DEFAULT_VARS["DMS_DEBUG"]="${DMS_DEBUG:="0"}"
 DEFAULT_VARS["OVERRIDE_HOSTNAME"]="${OVERRIDE_HOSTNAME}"
 DEFAULT_VARS["POSTMASTER_ADDRESS"]="${POSTMASTER_ADDRESS:="postmaster@domain.com"}"
 DEFAULT_VARS["POSTSCREEN_ACTION"]="${POSTSCREEN_ACTION:="enforce"}"
+DEFAULT_VARS["SPOOF_PROTECTION"]="${SPOOF_PROTECTION:="0"}"
 DEFAULT_VARS["TLS_LEVEL"]="${TLS_LEVEL:="modern"}"
 ##########################################################################
 # << DEFAULT VARS
@ -118,6 +119,11 @@ function register_functions() {
 	_register_setup_function "_setup_postfix_vhost"
 	_register_setup_function "_setup_postfix_dhparam"
 	_register_setup_function "_setup_postfix_postscreen"
+
+  if [ "$SPOOF_PROTECTION" = 1  ]; then
+		_register_setup_function "_setup_spoof_protection"
+	fi
+
  _register_setup_function "_setup_postfix_access_control"

 	if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then
@ -128,7 +134,7 @@ function register_functions() {
 		_register_setup_function "_setup_postfix_virtual_transport"
 	fi

-    _register_setup_function "_setup_environment"
+  _register_setup_function "_setup_environment"

 	################### << setup funcs

@ -544,7 +550,7 @@ function _setup_ldap() {
 	done

 	notify 'inf' 'Starting to override configs'
-	for f in /etc/postfix/ldap-users.cf /etc/postfix/ldap-groups.cf /etc/postfix/ldap-aliases.cf /etc/postfix/ldap-domains.cf
+	for f in /etc/postfix/ldap-users.cf /etc/postfix/ldap-groups.cf /etc/postfix/ldap-aliases.cf /etc/postfix/ldap-domains.cf /etc/postfix/maps/sender_login_maps.ldap
 	do
 		[[ $f =~ ldap-user ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_USER}"
 		[[ $f =~ ldap-group ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_GROUP}"
@ -615,6 +621,14 @@ function _setup_postfix_postscreen() {
 	       -e "s/postscreen_bare_newline_action = enforce/postscreen_bare_newline_action = $POSTSCREEN_ACTION/" /etc/postfix/main.cf
 }

+function _setup_spoof_protection () {
+	notify 'inf' "Configuring Spoof Protection"
+	sed -i 's|smtpd_sender_restrictions =|smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,|' /etc/postfix/main.cf
+	[ "$ENABLE_LDAP" = 1 ] \
+		&& postconf -e "smtpd_sender_login_maps=ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf" \
+		|| postconf -e "smtpd_sender_login_maps=texthash:/etc/postfix/virtual, texthash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre"
+}
+
 function _setup_postfix_access_control() {
  notify 'inf' "Configuring user access"
  [ -f /tmp/docker-mailserver/postfix-send-access.cf ] && sed -i 's|smtpd_sender_restrictions =|smtpd_sender_restrictions = check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf