Community Forum

0 votes
i freshly configured mail server and for now it's working smoothly. currently my domain is and i have different users.
i have smtp authentication set to on. and users can send mails as well. user can send mail with any from address
i.e user can send mail from, can send mail with any email address to anyone. but i am more concerned with the security and think if any one abuses this it would be a great problem.
so i googled and found Address masquerade in postfx. so i tried

masquerade_classes = envelope_sender, envelope_recipient, header_sender, header_recipient
masquerade_domains = !

i tried it but its not working to convert the domain name of the sender to
it's not working and i can't even force user to use their own email address.
any user permitted to use the mail can login with their credentials and are capable of sending mail with any email address despite of their own email address and are able to create fake mail.
could any one please help me with this
it would be fun to solve this issue

In Mail
Saturday, February 26 2011, 12:53 PM
Share this post:
Responses (2)
  • Accepted Answer

    Sunday, February 27 2011, 04:15 PM - #Permalink
    0 votes
    There's fairly easy way to reject unauthorized sender domains on Postix, if the server is used for your organization OUTGOING mail ONLY. You can whitelist authorized sender domains, and Postfix will reject all email coming from unauthorized sender domains:

    sender verification

    However, this is NOT viable solution for mailservers that are used for both INCOMING and OUTGOING mail, as you'll break receiving of all external (internet) INCOMING mail.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 27 2011, 02:23 PM - #Permalink
    0 votes
    I don't think you can use Postfix or any other SMTP server to rewrite arbitrary forged sender email adresses to the authorized ones. First of all, how would Postfix know which address fakeaddress@fakedomaine should be rewritten to: I@yourdomaine or you@yourdomaine? IP addresses are not usefull since workstations in effect can connect from any IP address on the internet (think laptops and smart phones) and MAC addresses are easily faked.

    It is, however, quite possible to block sending emails not originating from your private IP segment. That is COS standard behaviour to avoid acting as an open relay. It should also be easy to block sending emails that do not use your domaine, therby limiting the scope for deception to I@yourdomaine being sent as you@yourdomaine. Should that ever happen, my advise would be that the best error correction procedure available, is you slugging I.

    The above illustrative example is in no way meant to be taken as an invitation.

    The reply is currently minimized Show
Your Reply