How to Fix “Sender address rejected: not owned by user” Error in Postfix SMTP Server Configuration


2 views

The error 553 5.7.1 <sender@example.com>: Sender address rejected: not owned by user occurs when Postfix enforces Sender Rewriting Scheme (SRS) protection. This security feature prevents email spoofing by verifying that authenticated users can only send from addresses they own.

The error stems from these critical Postfix settings:

# In master.cf (usually the main culprit)
submission inet n - - - - smtpd
    -o smtpd_sender_restrictions=reject_sender_login_mismatch

# In main.cf
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_sender_login_maps.cf
smtpd_sender_restrictions = reject_sender_login_mismatch

Here are three approaches to resolve this:

Option 1: Disable sender verification (not recommended for production)

# In master.cf
submission inet n - - - - smtpd
    -o smtpd_sender_restrictions=permit_sasl_authenticated,reject

Option 2: Proper SASL sender mapping

# Create /etc/postfix/sasl_senders
user1@domain.com   user1
user2@domain.com   user2

# In main.cf
smtpd_sender_login_maps = hash:/etc/postfix/sasl_senders

Option 3: MySQL-based mapping (for larger deployments)

# /etc/postfix/mysql_sender_login_maps.cf
user = postfix_user
password = your_password
hosts = 127.0.0.1
dbname = postfix_db
query = SELECT username FROM aliases WHERE alias='%s' UNION SELECT username FROM mailboxes WHERE email='%s'

Always check these logs after changes:

tail -f /var/log/mail.log
postmap -q user@domain.com hash:/etc/postfix/sasl_senders
postconf -n | grep sender

For a secure yet functional setup:

# Main.cf additions
smtpd_sender_restrictions = 
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_sender_login_mismatch,
    reject_unauthenticated_sender_login_mismatch,
    reject_unknown_sender_domain

# Master.cf modifications
submission inet n - - - - smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_restrictions=reject_sender_login_mismatch
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination

Remember to reload Postfix after changes:

postfix reload
systemctl restart postfix

The error 553 5.7.1 <sender@example.com>: Sender address rejected: not owned by user occurs when Postfix's reject_sender_login_mismatch restriction is enabled in master.cf. This security feature prevents email spoofing by verifying that authenticated users only send emails from addresses they own.

Your current setup in master.cf includes:

submission inet n       -       -       -       -       smtpd
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_client_restrictions=permit_sasl_authenticated
    -o smtpd_sender_restrictions=reject_sender_login_mismatch

The critical line is -o smtpd_sender_restrictions=reject_sender_login_mismatch which enforces sender-address verification.

There are two main ways to resolve this:

Option 1: Disable Strict Sender Verification (Not Recommended)

Remove the restriction from master.cf:

submission inet n       -       -       -       -       smtpd
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_client_restrictions=permit_sasl_authenticated
    # Removed: -o smtpd_sender_restrictions=reject_sender_login_mismatch

Option 2: Properly Configure SASL Authentication (Recommended)

1. First, ensure you have smtpd_sasl_auth_enable = yes in main.cf

2. Configure sender address mapping in /etc/postfix/sasl/smtpd_sender_login_maps:

sender@example.com    username
another@domain.com    username

3. Add this to your main.cf:

smtpd_sender_login_maps = hash:/etc/postfix/sasl/smtpd_sender_login_maps
smtpd_sender_restrictions = 
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_sender_login_mismatch,
    reject_authenticated_sender_login_mismatch,
    reject_unauthenticated_sender_login_mismatch

After making changes, always:

postmap /etc/postfix/sasl/smtpd_sender_login_maps
postfix reload

Test with telnet:

telnet localhost 25
EHLO example.com
MAIL FROM: <sender@example.com>

While disabling reject_sender_login_mismatch may seem like a quick fix, it significantly reduces your server's security against email spoofing attacks. The proper solution is to maintain the restriction while correctly configuring your SASL authentication and sender mappings.