Just a last note, i would like to make sure domains/subdomains user as
sender/from addresses have a MX RR accepting email for such
domains/subdomains. I mean, if from address is host.mydomain.com while it
can be reachable as long as it has an A or CNAME RR email delivered to
host.mydomain.com may not have any MX record accepting emails for such
domain/subdomain.
--
*Pau Peris Rodriguez*
*Chief Executive Officer (CEO)*
Tel: 669650292
C/Balmes 211, Principal Segunda
Barcelona 08006
http://www.webeloping.es

Aquest correu electrònic conté informació de caràcter confidencial dirigida
exclusivament al seu/s destinatari/s en còpia present. Tant mateix, queda
prohibida la seva divulgació, copia o distribució a tercers sense prèvia
autorització escrita per part de Pau Peris Rodriguez. En cas d'haver rebut
aquesta informació per error, es demana que es notifiqui
immediatament d'aquesta circumstancia mitjançant la direcció electrònica
del emissor.

Thanks for the explanation but i think i'm not understanding you. I
understand MX records are not mandatory but i'm wondering what am i
supposed to do when someone tries to send an email and the from address is
not valid but an A or CNAME RR exists? By not valid i mean replying to the
from address will never reach any mailbox.

My worries are:
* I'm responsible for sending email for domain.com but not for *.domain.com.
* I'm only signing and following the rules - like DKIM, SPF, DMARC - for
domain.com but haven't done anything special for *.domain.com. And i don't
want my server to be responsible for sending not signed emails, etc.
* I do not want to send emails if the from address is not reachable.

Probably the best solution should be to make sure the from address matches
the login address?

I'm already using reject_unknown_sender_domain.

Thank you so much.

please avoid top-posting
you did not make clear that you talk about sending mail
yes, you should not allow non-existent senders
you need some rules before "permit_sasl_authenticated"

in most cases that should be enough:
http://www.postfix.org/postconf.5.html#reject_unlisted_sender
___________________________________________________

that is complexer to implement but if done properly the perfect solution
however, you need to consider also aliases be listed here which may have
not a own login but are allowed for the user/password combination

reject_authenticated_sender_login_mismatch
http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

reject_authenticated_sender_login_mismatch
Enforces the reject_sender_login_mismatch restriction for authenticated clients only.
This feature is available in Postfix version 2.1 and later.
___________________________________________________

that's how it looks in "main.cf" while you need a way for "smtpd_sender_login_maps"
matching your environment, "reject_non_fqdn_recipient" and "reject_non_fqdn_sender"
is highly recommended and rejects user mistakes and prevents auto-add "myhostname"
if someone sends to "johnny"

smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-senderaccess.cf

smtpd_recipient_restrictions = permit_mynetworks
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unlisted_sender
reject_authenticated_sender_login_mismatch
permit_sasl_authenticated

This is described in RFC 5321 section 5.1.


Wietse

Thank you everyone. Your advises has been very useful to resolve this issue.

I'm wondering why are you setting the following policies under recipient
restrictions and not under sender restrictions? Maybe it's more efficient?

reject_non_fqdn_sender
reject_unlisted_sender
reject_authenticated_sender_login_mismatch

Last, what do you think about reject_unverified_sender? Is it a resources
drainer?

Thanks a lot!

because with "smtpd_delay_reject" which is default for
good reasons it does not matter and the configuration
is easier to understand as well as specific overrides
are better to manage
it may lead to blacklisting because you always make a sending
attempt and in case of forged senders you do that to servers
never tried to send a message to you

Hundred thanks!! Really great help, tomorrow gonna put it all together and
solve the issue.

Good night!
--
*Pau Peris Rodriguez*
*Chief Executive Officer (CEO)*
Tel: 669650292
C/Balmes 211, Principal Segunda
Barcelona 08006
http://www.webeloping.es

Aquest correu electrònic conté informació de caràcter confidencial dirigida
exclusivament al seu/s destinatari/s en còpia present. Tant mateix, queda
prohibida la seva divulgació, copia o distribució a tercers sense prèvia
autorització escrita per part de Pau Peris Rodriguez. En cas d'haver rebut
aquesta informació per error, es demana que es notifiqui
immediatament d'aquesta circumstancia mitjançant la direcció electrònica
del emissor.

Hello again,

i read carefully the explanation given by rhsoft and also went to postconf
doc page - http://www.postfix.org/postconf.5.html -to be able to
understand each one of the statements i was setting up. It really looks
pretty easy but i think i'm bypassing something because i'm not able to
reject senders based on:
* The sender/from address is not the one used to login/authenticate.
* The sender/from address does not exist.

I'm posting bellow my current Postfix setup in hope someone can help to
find the error:

$ postconf |grep mail_version
mail_version = 2.11.0

$ postconf -n
https://gist.github.com/sibok/df8c8fc0d85785978c85

Here's the output shown at /var/log/mail.log
https://gist.github.com/sibok/8e910f54ba5b1a9ea05b

I enabled MySQL SQL Query logs so that's what i seen when trying to send
from ***@blog.example.com to ***@example.com where example.com is a valid
domain, able to receive emails, and blog.example.com is a valid CNAME which
is not able to receive emails so the following address ***@blog.example.com does
not exists.
https://gist.github.com/sibok/ef6a417d10ddf20bd242

Hi,

i'm really getting nuts trying to get is running.

The current behavior is:
* An authenticated user can login as user ***@example.com and then send an
email using from/sender address ***@example2.com
* When another server i have, also running a Postfix 2.11, which relays
emails on the main server tries to send an email the local user sending the
email must match the from/sender address. If not the following message
appears "Sender address rejected: not owned by user...". It looks like the
desired behavior only works for relaying.

Here's what happens when i fake a from address through telnet
https://gist.github.com/sibok/30d7b1085ee6eb26167c

Here's the telnet sequence
https://gist.github.com/sibok/2540ad0ed0e7dde13311

here's master.cf just in case an edit is needed
https://gist.github.com/sibok/7d10c8d267170f4deb43

I hope someone can give some bits of help.

Thanks

If i try to spoof email/sender address through Mozilla Thunderbird i get
the same error message as the one when relaying <***@example.com>: Sender
address rejected: not owned by user ***@example.com; So it looks like the
issue only exists when working locally like through the webmail solution.
--
*Pau Peris Rodriguez*
*Chief Executive Officer (CEO)*
Tel: 669650292
C/Balmes 211, Principal Segunda
Barcelona 08006
http://www.webeloping.es

Aquest correu electrònic conté informació de caràcter confidencial dirigida
exclusivament al seu/s destinatari/s en còpia present. Tant mateix, queda
prohibida la seva divulgació, copia o distribució a tercers sense prèvia
autorització escrita per part de Pau Peris Rodriguez. En cas d'haver rebut
aquesta informació per error, es demana que es notifiqui
immediatament d'aquesta circumstancia mitjançant la direcció electrònica
del emissor.

After doing another try and looking carefully at the mail.log file i
realize that after the first attempt to reject the email i finally gets
delivered. https://gist.github.com/sibok/82f84dcc71bfa75deeeb

Hope someone can help. Thanks!
--
*Pau Peris Rodriguez*
*Chief Executive Officer (CEO)*
Tel: 669650292
C/Balmes 211, Principal Segunda
Barcelona 08006
http://www.webeloping.es

Aquest correu electrònic conté informació de caràcter confidencial dirigida
exclusivament al seu/s destinatari/s en còpia present. Tant mateix, queda
prohibida la seva divulgació, copia o distribució a tercers sense prèvia
autorització escrita per part de Pau Peris Rodriguez. En cas d'haver rebut
aquesta informació per error, es demana que es notifiqui
immediatament d'aquesta circumstancia mitjançant la direcció electrònica
del emissor.

because "permit_mynetworks" does what it is supposed to do
if you don't have "mynetworks" configured the defaults are applied

[***@srv-rhsoft:~]$ postconf -d mynetworks
mynetworks = 127.0.0.0/8 62.178.103.0/24 192.168.2.0/24 192.168.10.0/24 192.168.196.0/24 10.0.0.0/24

configure your webmail to use smtp not sendmail binary ( as default in
most webmail )


Best Regards
MfG Robert Schetterer

Hi,

i didn't configure mynetworks because i mynetworks_style is set to host. I
thought it was right thing to do to fit my needs which obviously looks like
not. Could you please exaplain me why is it wrong? I think i'm not fully
understanding why permit_mynetworks is wrong there.

Robert, i'm using Roundcube already configured to connect to smtp and not
as sendmail. Thanks for your tip.

Thanks again,
--
*Pau Peris Rodriguez*
*Chief Executive Officer (CEO)*
Tel: 669650292
C/Balmes 211, Principal Segunda
Barcelona 08006
http://www.webeloping.es

Aquest correu electrònic conté informació de caràcter confidencial dirigida
exclusivament al seu/s destinatari/s en còpia present. Tant mateix, queda
prohibida la seva divulgació, copia o distribució a tercers sense prèvia
autorització escrita per part de Pau Peris Rodriguez. En cas d'haver rebut
aquesta informació per error, es demana que es notifiqui
immediatament d'aquesta circumstancia mitjançant la direcció electrònica
del emissor.

can you please stop top-posting and using HTML on lists?
what is bad with HTML? look at the quote below after convert you message to plain
why should it be right?

if you don't want to skip a restriction because the machine is
in "mynetworks" just don't put "permit_networks" before the
restriction or don't put the machine in question in "mynetworks"

i know nobody who changed "mynetworks_style" and i know a lot of admins

Hi,

i understand now the mistake. I'm reviewing the whole restrictions lot to
fix permit_mynetworks where it is needed.

I'm looking at Postfix site - http://postfix.org/postconf.5.html - for a
way to create exceptions as i would like some users like root to be able to
spoof their from address but i'm not able to find the right directive.
Would you dare pointing me to the right one?

Thank you so much. I rally appreciate your help

PLEASE LEARN TO USE YOUR MAIL-CLIENT AND HOW TO QUOTE

* do not top post
* do not post HTML
* do not reply only to your own questions while you refer to answers
* if you continue that way of posting i just ignore you

this is a completly unreadable thread in the meanwhile
that below is hardly a response to my last message
__________________________________________________

back to topic:

* why would you like to spoof root?
* mails of cronjobs and such things are using the sendmail binary
* the sendmail binary has *no relevance* to SMTP restrictions because it is not SMTP

Excuse me, i'll try to follow your rules. The HTML thing was due to the
reader, i think it took web URL and emails into HTML tags. Excuses.

Respect the exceptions list, you talk about cron emails using sendmail but
it is using aliases table specified in main.cf also uses an email rewriter
table specified in main.cf If possible would like to create an exception
table. The case is i would like aliases to be only used for recieving and
forwarding to real email boxes. I do not want to let users login through
aliases. Also i would like some users like root to rewrite its email.

Last, i think master.cf is overwriting some restrictions because when
emails first get smtp it gets rejected if login missmatch sender address,
then don't know why it is passed to amavis content filter when it really
should get rejected and after amavis injects the email again into smtp it
gets delivered. It's pretty weird, but i'm not able to find my mistake.

Thanks a lot!!
--

Sent from my Android mobile, excuse the brevity.

Finally,

removing warn_if_rejected did the trick. Oh mine, stupid mistake, easy fix!

Thanks a lot rhsoft!!
reader, i think it took web URL and emails into HTML tags. Excuses.
but it is using aliases table specified in main.cf also uses an email
rewriter table specified in main.cf If possible would like to create an
exception table. The case is i would like aliases to be only used for
recieving and forwarding to real email boxes. I do not want to let users
login through aliases. Also i would like some users like root to rewrite
its email.
emails first get smtp it gets rejected if login missmatch sender address,
then don't know why it is passed to amavis content filter when it really
should get rejected and after amavis injects the email again into smtp it
gets delivered. It's pretty weird, but i'm not able to find my mistake.
is not SMTP
to fix permit_mynetworks where it is needed.
a way to create exceptions as i would like
not able to find the right directive. Would you
host. I thought it was right thing to do to
exaplain me why is it wrong? I think i'm not
and not as sendmail. Thanks for your tip.
Thunderbird i get
address rejected: not owned by user
solution.
default in

I think everything was working fine but after update main.cf file i'm
seeing the following warning for emails incoming outside the box,
postfix/smtpd[15455]: warning: restriction
`reject_authenticated_sender_login_mismatch' ignored: no SASL support

The previous warning is show when i send an email from GMail to a domain
whose email is managed by me.

Basically what i did is:
* Remove permit_mynetworks where i think it shouldn't be.
* Disable smtp auth globally and enable it at submission 587 and smtps 465.
* Remove the deprecated smtp_use_tls/smtpd_use_tls statements.

Here i paste my current main.cf and master.cf files.
https://gist.github.com/sibok/f6f3fc9dfa074868e10e

Any help would be extremely appreciated. Thanks in advanced!
fix!
reader, i think it took web URL and emails into HTML tags. Excuses.
but it is using aliases table specified in main.cf also uses an email
rewriter table specified in main.cf If possible would like to create an
exception table. The case is i would like aliases to be only used for
recieving and forwarding to real email boxes. I do not want to let users
login through aliases. Also i would like some users like root to rewrite
its email.
emails first get smtp it gets rejected if login missmatch sender address,
then don't know why it is passed to amavis content filter when it really
should get rejected and after amavis injects the email again into smtp it
gets delivered. It's pretty weird, but i'm not able to find my mistake.
it is not SMTP
lot to fix permit_mynetworks where it is needed.
for a way to create exceptions as i would like
not able to find the right directive. Would you
to host. I thought it was right thing to do to
exaplain me why is it wrong? I think i'm not
smtp and not as sendmail. Thanks for your tip.
Thunderbird i get
Sender address rejected: not owned by user
solution.
default in

`reject_authenticated_sender_login_mismatch' has a clear context to SASL auth
just don't list SASL related params in main.cf if "disable smtp auth globally"

Could you be more explicit or place an example on how should main.cf should
stay after removing the sasl params and how should master.cf look please?

Thank u so much!!

Sent from my Android mobile, excuse the brevity.

sorry, you need to read manuals and try some things at your own
if you can't handle it why do you remove auth globally?
in general don't change defaults for no good reason

I don't think that's about reading but about experise. Which takes time
after reading.

I will reenable sasl globally again while i try to understand it all.

I'm unsure if login sender mismatch can have any side effect for incoming
email once global sasl auth is activated. Could you please explain this?

Thanks a lot!
--

Sent from my Android mobile, excuse the brevity.

no, it's a matter of read, try and try again, been there done that
as said: read the documentation, especially for params you are usinf

"reject_authenticated_sender_login_mismatch" contains the word "authenticated"
http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch

Thanks a lot!
--
Sent from my Android mobile, excuse the brevity.

Just in case someone is interested, finally i disabled sasl auth globally
and fixed the previous error by adding/modifying the following lines at
master.cf

smtp inet n - - - - smtpd
-o smtpd_sasl_auth_enable=yes

As you can see i forgot to enable sasl on smtp.

I also added the following restriction next to
reject_authenticated_sender_login_mismatch:

reject_authenticated_sender_login_mismatch,
reject_known_sender_login_mismatch,

Maybe it helps someone.
time after reading
incoming email once global sasl auth is activated
"authenticated"
http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch
main.cf <http://main.cf> <http://main.cf> should
http://master.cf> look please?
main.cf <http://main.cf> <http://main.cf>
warning: restriction
SASL support
GMail to a domain whose email is managed by me.
587 and smtps 465.
statements
context to SASL auth
http://main.cf> <http://main.cf> if "disable smtp auth