Discussion:
How to enforce 'From:' message header field to match the sasl authenticated username
(too old to reply)
Hamy
2016-04-03 02:35:48 UTC
Permalink
HiI am using smtpd_sender_login_maps on submission port to enforce the envelope 'mail from:' command, and its working as expected. the problem however is that the user can still use any arbitrary 'From:' header field that she wants and opendkim will happily sign it. I am looking for a way to enforce the from: header filed to match the sasl authenticated username. ideally this should happen before queuing so i can reject the message while smtp session is still in progress.It is my understanding that header_checks can't be used for this as it's functionality is very limited.
What are my options? can anyone please help?Thank you in advance

Best Regards,
Tobias
2016-04-03 10:11:03 UTC
Permalink
Hi
I am using /smtpd_sender_login_maps/ on submission port to enforce the
envelope 'mail from:' command, and its working as expected. the
problem however is that the user can still use any arbitrary 'From:'
header field that she wants and opendkim will happily sign it. I am
looking for a way to enforce the from: header filed to match the sasl
authenticated username. ideally this should happen before queuing so i
can reject the message while smtp session is still in progress.
It is my understanding that /header_checks/ can't be used for this as
it's functionality is very limited.
What are my options? can anyone please help?
Thank you in advance
Best Regards,
A quick search uncovered four options for *smtpd_sender_restrictions*
which you should check.

*reject_authenticated_sender_login_mismatch*
Enforces thereject_sender_login_mismatch
<http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>restriction
for authenticated clients only. This feature is available in Postfix
version 2.1 and later.
*reject_known_sender_login_mismatch*
Apply thereject_sender_login_mismatch
<http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>restriction
only to MAIL FROM addresses that are known in
$smtpd_sender_login_maps
<http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>.
This feature is available in Postfix version 2.11 and later.
*reject_sender_login_mismatch*
Reject the request when $smtpd_sender_login_maps
<http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>specifies
an owner for the MAIL FROM address, but the client is not (SASL)
logged in as that MAIL FROM address owner; or when the client is
(SASL) logged in, but the client login name doesn't own the MAIL
FROM address according to $smtpd_sender_login_maps
<http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>.
*reject_unauthenticated_sender_login_mismatch*
Enforces thereject_sender_login_mismatch
<http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>restriction
for unauthenticated clients only. This feature is available in
Postfix version 2.1 and later.

BR
Tobias
Hamy
2016-04-03 10:32:48 UTC
Permalink
Hi, thank you for your response. But i don't think that any of those actually apply to my situation. they're all restrictions applied to 'MAIL FROM:' envelope, and as I've said earlier, I've already taken care of that and it works fine. what I'm talking about is the 'From:' field of the message header (not the envelope). i want to enforce matching it against the 'MAIL FROM:' envelope. for example if the user is SASL authenticated as ***@example.com , she is allowed(and enforced) to use:
MAIL FROM:<***@example.com>
Now i want to match that against the message header 'From:'. the user should be only allowed to use something like this in the header:
From: nickname <***@example.com>

Anything else, should be rejected.
Any ideas?Thanks in advace.

On Sunday, 3 April 2016, 14:42, Tobias <***@otaking.se> wrote:


On 2016-04-03 04:35, Hamy wrote:

Hi I am using smtpd_sender_login_maps on submission port to enforce the envelope 'mail from:' command, and its working as expected. the problem however is that the user can still use any arbitrary 'From:' header field that she wants and opendkim will happily sign it. I am looking for a way to enforce the from: header filed to match the sasl authenticated username. ideally this should happen before queuing so i can reject the message while smtp session is still in progress. It is my understanding that header_checks can't be used for this as it's functionality is very limited.
What are my options? can anyone please help? Thank you in advance

Best Regards,


A quick search uncovered four options for smtpd_sender_restrictions which you should check.


- reject_authenticated_sender_login_mismatch
- Enforces the reject_sender_login_mismatch restriction for authenticated clients only. This feature is available in Postfix version 2.1 and later.
-
- reject_known_sender_login_mismatch
- Apply the reject_sender_login_mismatch restriction only to MAIL FROM addresses that are known in $smtpd_sender_login_maps. This feature is available in Postfix version 2.11 and later.
- reject_sender_login_mismatch
- Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.


- reject_unauthenticated_sender_login_mismatch
- Enforces the reject_sender_login_mismatch restriction for unauthenticated clients only. This feature is available in Postfix version 2.1 and later.


BR
Tobias
Tobias
2016-04-04 09:35:21 UTC
Permalink
Ah yes, you're right.

I have yet to find any obvious way directly in Postfix to either force
the From: header to be rewritten to MAIL FROM envelope, or to check this
same header against the envelope or authenticated username.

I had some ideas of possibly using cleanup, trivial-rewrite, canonical,
but I've yet to find a way to make it work. If there's some generic
Milter around that can run simple scripts that could work to bounce. Or
for rewrite, trigger a script after message has been queued to modify
the From header (perhaps AlterMIME can be used for this?)

/Tobias
Post by Hamy
Hi, thank you for your response. But i don't think that any of those
actually apply to my situation.
they're all restrictions applied to 'MAIL FROM:' envelope, and as I've
said earlier, I've already taken care of that and it works fine. what
I'm talking about is the 'From:' field of the message header (not the
envelope). i want to enforce matching it against the 'MAIL FROM:'
envelope. for example if the user is SASL authenticated as
Now i want to match that against the message header 'From:'. the user
Anything else, should be rejected.
Any ideas?
Thanks in advace.
Hi
I am using /smtpd_sender_login_maps/ on submission port to enforce
the envelope 'mail from:' command, and its working as expected. the
problem however is that the user can still use any arbitrary 'From:'
header field that she wants and opendkim will happily sign it. I am
looking for a way to enforce the from: header filed to match the sasl
authenticated username. ideally this should happen before queuing so
i can reject the message while smtp session is still in progress.
It is my understanding that /header_checks/ can't be used for this as
it's functionality is very limited.
What are my options? can anyone please help?
Thank you in advance
Best Regards,
A quick search uncovered four options for *smtpd_sender_restrictions*
which you should check.
*reject_authenticated_sender_login_mismatch*
Enforces thereject_sender_login_mismatch
<http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>restriction
for authenticated clients only. This feature is available in
Postfix version 2.1 and later.
*reject_known_sender_login_mismatch*
Apply thereject_sender_login_mismatch
<http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>restriction
only to MAIL FROM addresses that are known in
$smtpd_sender_login_maps
<http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>.
This feature is available in Postfix version 2.11 and later.
*reject_sender_login_mismatch*
Reject the request when $smtpd_sender_login_maps
<http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>specifies
an owner for the MAIL FROM address, but the client is not (SASL)
logged in as that MAIL FROM address owner; or when the client is
(SASL) logged in, but the client login name doesn't own the MAIL
FROM address according to $smtpd_sender_login_maps
<http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>.
*reject_unauthenticated_sender_login_mismatch*
Enforces thereject_sender_login_mismatch
<http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>restriction
for unauthenticated clients only. This feature is available in
Postfix version 2.1 and later.
BR
Tobias
m***@gmail.com
2017-06-28 18:04:09 UTC
Permalink
Hey,

I solved the problem by writing my own milter for that and published it under BSD on github:

https://github.com/magcks/milterfrom

I'm happy about every feedback and hope someone of you find it useful to use my code.
j***@gmail.com
2019-06-29 17:30:47 UTC
Permalink
Post by m***@gmail.com
Hey,
https://github.com/magcks/milterfrom
I'm happy about every feedback and hope someone of you find it useful to use my code.
OpenDMDK has:

ReplaceHeaders (data set)

Defines a set of header fields that should be affected by the text replacement rules defined by the ReplaceRules setting. By default, all header fields are included. @REPLACE_RULES_MANNOTICE@

and

ReplaceRules (string)

Specifies a file containing a list of text replacement rules that are applied to the message header fields to replace certain content expected to be changed as the message passes through local MTAs. This can be used to accommodate expected changes such as are made to From: fields by MTA "masquerade" features. Each entry in the file consists of a POSIX regular expression, followed by a tab (ASCII 9), followed by the text that should be used to replace the text matching the expression. The ’#’ character denotes the beginning of a comment and text from that point on in a single line is ignored. Blank lines are also skipped. @REPLACE_RULES_MANNOTICE@
Loading...