A quick search uncovered four options for *smtpd_sender_restrictions*
which you should check.

*reject_authenticated_sender_login_mismatch*
Enforces thereject_sender_login_mismatch
<http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>restriction
for authenticated clients only. This feature is available in Postfix
version 2.1 and later.
*reject_known_sender_login_mismatch*
Apply thereject_sender_login_mismatch
<http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>restriction
only to MAIL FROM addresses that are known in
$smtpd_sender_login_maps
<http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>.
This feature is available in Postfix version 2.11 and later.
*reject_sender_login_mismatch*
Reject the request when $smtpd_sender_login_maps
<http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>specifies
an owner for the MAIL FROM address, but the client is not (SASL)
logged in as that MAIL FROM address owner; or when the client is
(SASL) logged in, but the client login name doesn't own the MAIL
FROM address according to $smtpd_sender_login_maps
<http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>.
*reject_unauthenticated_sender_login_mismatch*
Enforces thereject_sender_login_mismatch
<http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>restriction
for unauthenticated clients only. This feature is available in
Postfix version 2.1 and later.

BR
Tobias

Hi, thank you for your response. But i don't think that any of those actually apply to my situation. they're all restrictions applied to 'MAIL FROM:' envelope, and as I've said earlier, I've already taken care of that and it works fine. what I'm talking about is the 'From:' field of the message header (not the envelope). i want to enforce matching it against the 'MAIL FROM:' envelope. for example if the user is SASL authenticated as ***@example.com , she is allowed(and enforced) to use:
MAIL FROM:<***@example.com>
Now i want to match that against the message header 'From:'. the user should be only allowed to use something like this in the header:
From: nickname <***@example.com>

Anything else, should be rejected.
Any ideas?Thanks in advace.

On Sunday, 3 April 2016, 14:42, Tobias <***@otaking.se> wrote:


On 2016-04-03 04:35, Hamy wrote:

Hi I am using smtpd_sender_login_maps on submission port to enforce the envelope 'mail from:' command, and its working as expected. the problem however is that the user can still use any arbitrary 'From:' header field that she wants and opendkim will happily sign it. I am looking for a way to enforce the from: header filed to match the sasl authenticated username. ideally this should happen before queuing so i can reject the message while smtp session is still in progress. It is my understanding that header_checks can't be used for this as it's functionality is very limited.
What are my options? can anyone please help? Thank you in advance

Best Regards,


A quick search uncovered four options for smtpd_sender_restrictions which you should check.


- reject_authenticated_sender_login_mismatch
- Enforces the reject_sender_login_mismatch restriction for authenticated clients only. This feature is available in Postfix version 2.1 and later.
-
- reject_known_sender_login_mismatch
- Apply the reject_sender_login_mismatch restriction only to MAIL FROM addresses that are known in $smtpd_sender_login_maps. This feature is available in Postfix version 2.11 and later.
- reject_sender_login_mismatch
- Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.


- reject_unauthenticated_sender_login_mismatch
- Enforces the reject_sender_login_mismatch restriction for unauthenticated clients only. This feature is available in Postfix version 2.1 and later.


BR
Tobias

Ah yes, you're right.

I have yet to find any obvious way directly in Postfix to either force
the From: header to be rewritten to MAIL FROM envelope, or to check this
same header against the envelope or authenticated username.

I had some ideas of possibly using cleanup, trivial-rewrite, canonical,
but I've yet to find a way to make it work. If there's some generic
Milter around that can run simple scripts that could work to bounce. Or
for rewrite, trigger a script after message has been queued to modify
the From header (perhaps AlterMIME can be used for this?)

/Tobias

Hey,

I solved the problem by writing my own milter for that and published it under BSD on github:

https://github.com/magcks/milterfrom

I'm happy about every feedback and hope someone of you find it useful to use my code.