When configuring Postfix with SMTP AUTH (typically on port 587 with STARTTLS), many administrators want to enforce a strict sender address format where authenticated users can only send from their own email address in the format username@example.org. This prevents address spoofing while maintaining a clean email ecosystem.
The conventional solution involves using smtpd_sender_login_maps with a static mapping file:
# /etc/postfix/main.cf
smtpd_sender_restrictions = reject_sender_login_mismatch
smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_mapsWith a corresponding map file:
# /etc/postfix/smtpd_sender_login_maps
alice@example.org alice
bob@example.org bob
charlie@example.org charlieFor systems where the username should always map to username@example.org, we can use Postfix's built-in pattern matching:
# /etc/postfix/main.cf
smtpd_sender_restrictions =
reject_authenticated_sender_login_mismatch,
reject_unauthenticated_sender
smtpd_sender_login_maps = pcre:/etc/postfix/smtpd_sender_login_maps.pcreCreate a PCRE format map file:
# /etc/postfix/smtpd_sender_login_maps.pcre
/^(.*)@example\.org$/ ${1}
/^$/ DEFAULTAfter implementing these changes:
sudo postmap /etc/postfix/smtpd_sender_login_maps.pcre
sudo systemctl reload postfixTest the configuration:
# As authenticated user 'alice'
echo "Test" | mailx -s "Test" -r "alice@example.org" recipient@domain.com # Should work
echo "Test" | mailx -s "Test" -r "bob@example.org" recipient@domain.com # Should fail
echo "Test" | mailx -s "Test" -r "anything@else.com" recipient@domain.com # Should failFor comprehensive protection, consider adding:
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destinationThis ensures that only authenticated users or local networks can relay mail through your server.
When running a Postfix mail server with SMTP AUTH (typically on port 587 with STARTTLS), one common security concern is sender address spoofing. By default, authenticated users could potentially send emails using any sender address, even if it doesn't match their login credentials.
The conventional approach involves using two main Postfix configuration parameters:
smtpd_sender_restrictions = reject_sender_login_mismatch
smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_maps
With a sender_login_maps file containing explicit mappings like:
user1@example.org user1
user2@example.org user2
user3@example.org user3
While this works, it becomes cumbersome to maintain, especially when you have a simple policy where authenticated users should only be able to send from their own email addresses in a single domain.
For cases where you want to strictly enforce the pattern logged-in-user@example.org, we can use a PCRE (Perl Compatible Regular Expression) map instead of maintaining a static file:
smtpd_sender_login_maps = pcre:/etc/postfix/smtpd_sender_login_maps.pcre
The PCRE file would contain:
/^(.*)@example\.org$/ ${1}
This regular expression does the following:
1. Captures the username part before @example.org
2. Maps it back to the same username (without the domain)
Here's how your main.cf should look:
# Enable SMTP AUTH on port 587
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
# Enforce sender address policy
smtpd_sender_restrictions =
reject_authenticated_sender_login_mismatch,
reject_unauthenticated_sender_login_mismatch,
permit_sasl_authenticated,
reject
smtpd_sender_login_maps = pcre:/etc/postfix/smtpd_sender_login_maps.pcre
After making these changes, remember to:
postmap /etc/postfix/smtpd_sender_login_maps.pcre
postfix reload
Test with:
swaks --from user@example.org --to recipient@domain.com \
--server localhost --port 587 -tls --auth-user user --auth-password password
The server should reject any attempt to send from an address that doesn't match the authenticated username plus @example.org.
For enhanced security, consider adding these to your main.cf:
smtpd_helo_restrictions = reject_invalid_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
This configuration provides a robust solution that automatically enforces your sender address policy without requiring manual updates when new users are added.