postfix - allow sending email with related alias
I have installed postfix 2.11.3 + +sasl + postfixadmin + dovecot + roundcube on debian 8. All is working fine but today every users can send email with another email address. I would like to add a restriction to allow the users to send email only with their mailbox or the alias related to their mailbox.
Examples :
1) Mailboxes
[email protected]
[email protected]
2) Alias
[email protected] goto [email protected]
[email protected] goto [email protected]
I would like that [email protected], logged with [email protected], can send email with [email protected] and [email protected] only.
user1 should not be able to use user2, alias2 or whatever.
I'm looking for a solution using a mysql_table lookup as I manage mailbox and alias with postfixadmin and mysql. Something like this :
SELECT address FROM alias WHERE address = '%s' AND goto LIKE '%<login>%'
From the man page, only there parameters are available :
%s This is replaced by the input key. SQL quoting is used
to make sure that the input key does not add unexpected
metacharacters.
%u When the input key is an address of the form user@domain,
%u is replaced by the SQL quoted local part of the
address. Otherwise, %u is replaced by the entire search
string. If the localpart is empty, the query is sup-
pressed and returns no results.
%d When the input key is an address of the form user@domain,
%d is replaced by the SQL quoted domain part of the
address. Otherwise, the query is suppressed and returns
no results.
%[SUD] The upper-case equivalents of the above expansions behave
in the query parameter identically to their lower-case
counter-parts. With the result_format parameter (see
below), they expand the input key rather than the result
value.
%[1-9] The patterns %1, %2, ... %9 are replaced by the corre-
sponding most significant component of the input key's
domain. If the input key is [email protected], then
%1 is com, %2 is example and %3 is mail. If the input key
is unqualified or does not have enough domain components
to satisfy all the specified patterns, the query is sup-
pressed and returns no results.
login is not available.
I know there is a solution to do the restriction on roundcube but my users can access their email directly without roundcube.
Thanks in advance for your help.
UPDATE
I tried this : main.cf
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual-sender-maps.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch permit_sasl_authenticated
mysql-virtual-sender-maps.cf
user = mailuser
password = xxxxxxxxxxxxxxxx
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT address FROM alias WHERE goto LIKE '%%%s%%'
Logged in with user1, i'm able to send email with alias2.
The content of database is the default for postfixadmin :
CREATE TABLE IF NOT EXISTS `alias` (
`address` varchar(255) NOT NULL,
`goto` text NOT NULL,
`domain` varchar(255) NOT NULL,
`created` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
`modified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
`active` tinyint(1) NOT NULL DEFAULT '1'
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COMMENT='Postfix Admin - Virtual Aliases';
CREATE TABLE IF NOT EXISTS `mailbox` (
`username` varchar(255) NOT NULL,
`password` varchar(255) NOT NULL,
`name` varchar(255) CHARACTER SET utf8 NOT NULL,
`maildir` varchar(255) NOT NULL,
`quota` bigint(20) NOT NULL DEFAULT '0',
`local_part` varchar(255) NOT NULL,
`domain` varchar(255) NOT NULL,
`created` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
`modified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
`active` tinyint(1) NOT NULL DEFAULT '1'
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COMMENT='Postfix Admin - Virtual Mailboxes';
Solution 1:
smtpd_sender_restrictions should include reject_authenticated_sender_login_mismatch
You then would supply a mysql_table for smtpd_sender_login_maps.
Solution 2:
Just for reference, I had the exact same problem and solved it withing postfix. After that, my [email protected] authenticates and than can send email either from [email protected] or [email protected].
In master.cf I have a configuration to enable my SSL sasl authenticated users as follows:
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
-o smtpd_sender_login_maps=mysql:/etc/postfix/mysql-smtpd-sender-login-maps.cf,mysql:/etc/postfix/mysql-virtual-sender-maps.cf
And my mysql map files:
mysql-virtual-sender-maps.cf:
user = mailuser
password = xxxxxxxxxxxxxxxx
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT goto FROM alias WHERE address='%s'
mysql-smtpd-sender-login-maps.cf
user = mailuser
password = xxxxxxxxxxxxxxxx
hosts = 127.0.0.1
dbname = postfixadmin
query = select username from mailbox where username='%s'
Note that I had to "translate" that table names and fields without testing. Don't just copy and paste this solution, but try to use it as as start point.
The trick is that mysql-smtpd-sender-login-maps.cf allows the user to send as his regular login and mysql-virtual-sender-maps.cf also let it send as his alias.
My alias table is set up so that I have kind of a "group". That is, I can have "[email protected],[email protected]" in goto column when address is [email protected] for example. That way, the email is delivered to more than one destination. I just used virtual_alias_maps = for that.
The solution stated above works allowing both [email protected] and user2@example to send as [email protected]
Hope it helps someone. Good luck!
Solution 3:
I finally find a partial answer to my problem. In my config.inc.php for RoundCube, I've previously removed %u from smtp_user parameter and %p from smtp_password. Consequently, the connexion to postfix was unauthenticated. That's why the restriction did not worked.
The query which should work is :
query = SELECT goto FROM alias WHERE address = '%s'
Thanks for the help.