Email sender address - postfix, dovecot etc.

[simpson0107]

Hi, I have an email server configured with postfix, dovecot, saslauthd and squirrelmail. It works great. In fact I'd even say it works too well: in squirrelmail, I can configure any sender address and my server will accept it. Message will be sent, wether the sender's address is william.gates@microsoft.com or john.smith@yahoo.com. Is there any way of limiting it in such way that only username@MYdomain.ltd is accepted as sender's address?
___________________________
blog szymona

[neogranas]

Do you have these in your /etc/postfix/main.cf file?

Code:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

[simpson0107]

Thanks for your post.

Yes, have them all in my main.cf. Without them I would not be able to use a client like Thunderbird to send email through my server from locations other then my own LAN. But I can send email through my server from anywhere.

My problem is different. I don't want my users to abuse my domain by sending emails as someone else, and now it is possible (today I sent an email as someone@pl.ey.com, and it reached it's destination with no problems, although pl.ey.com is not my domain). I found a half-solution, which is changing "true" to "false" in the following squirrelmail configuration file (/usr/share/squirrelmail/config/config.php):

Code:

$edit_identity = false;
$edit_name = false;

But that does not stop people using Thunderbird or Mutt to pretend to be someone else. I want to avoid a situation when I can't send emails from my domain because it's treated as spam or an untrusted domain.

Is there any way of doing it?

[neogranas]

There is, my system will not allow any outbound email from anywhere unless there is a user that authenticates. I just tested it a few minutes ago. No user sending will get back a 5.7.1 error, and an unknown user will get authentication errors even when giving a username and password.

Here is my main.cf file, and the output of a postconf:
main.cf.txt
postconf.txt

Hope they help.

[simpson0107]

OK, maybe I'm not making myself clear. Thanks for your post.

I don't want to stop outsiders from sending email as myself. I want to stop myself (or rather my users) from pretending to be someone else. I don't really need it that much now, but it might be useful in the future.

Here's what i mean: make an experiment. Log in to your home directory as a regular user (not in the gui, in the terminal). Create file called .muttrc in your home directory. Then, edit the file and paste this in the first line:

Code:

my_hdr From: Bill <william.gates@microsoft.com>

Save the file and send an email (you must use mutt for the experiment to succede) to yourself. Then check your mailbox and read a message from Bill Gates, straight from Microsoft!

Now this is an example of what I don't want my users to do. So, is there a way of doing that?

[simpson0107]

OK, maybe I'm not making myself clear. Thanks for your post.

I don't want to stop outsiders from sending email as myself. I want to stop myself (or rather my users) from pretending to be someone else. I don't really need it that much now, but it might be useful in the future.

Here's what i mean: make an experiment. Log in to your home directory as a regular user (not in the gui, in the terminal). Create a file called .muttrc in your home directory (don't forget the dot in front of the file name). Then, edit the file and paste this in the first line:

Code:

my_hdr From: Bill <william.gates@microsoft.com>

Save the file and send an email to yourself (you must use mutt for the experiment to succede). Then check your mailbox and read a message from Bill Gates, straight from Microsoft! You can send an email like that to any account.

Now this is an example of what I don't want my users to do. So, is there a way of stopping them?

[neogranas]

Ah, my mistake. That I don't know because, well, it's really only me on my server so I don't have to worry about that. But I'd be very interested to know the solution so I can use it later if needed.