Prevent anyone from sending email between local users
I'm trying to prevent anonymous users from potentially being able to send email from one local user to another. If someone knows the email addresses of 2 accounts on my postfix server (2.10.1) it seems that they are able to send email between them from anywhere without authenticating. I tested this using telnet commands:
220 domain1.co.uk ESMTP Postfix
ehlo domain1.co.uk
250-domain1.co.uk
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:[email protected]
250 2.1.0 Ok
RCPT TO:[email protected]
250 2.1.5 Ok
data
354 End data with .
test
.
250 2.0.0 Ok: queued as A002982019
quit
221 2.0.0 Bye
I want to avoid anyone from being able to send between local domains unless they are either authenticated or from specific IP addresses (local ones for relay).
I think you are looking for reject_sender_login_mismatch
or reject_unauthenticated_sender_login_mismatch
, parameters for smtpd_sender_restrictions
.
For example:
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, ...
From the documentation:
- reject_sender_login_mismatch
- Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.
- reject_unauthenticated_sender_login_mismatch
- Enforces the reject_sender_login_mismatch restriction for unauthenticated clients only. This feature is available in Postfix version 2.1 and later.
The former is more restrictive, prohibiting e.g. [email protected] from sending mail as [email protected], even if authenticated. The latter will permit authenticated users to send mail from any email address.
permit_mynetworks
should always appear first, and will allow anything from the IP addresses and CIDR ranges you specified in mynetworks
.