This is how to really do it in postfix.
This config changes sender addresses from both local originated, and relayed SMTP mail traffic:
/etc/postfix/main.cf:
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps
smtp_header_checks = regexp:/etc/postfix/header_check
Rewrite envelope address from email originating from the server itself
/etc/postfix/sender_canonical_maps:
/.+/ newsender@address.com
Rewrite from address in SMTP relayed e-mail
/etc/postfix/header_check:
/From:.*/ REPLACE From: newsender@address.com
Thats very useful if you're for instance using a local relay smtp server which is used by all your multifunctionals and several applications.
If you use Office 365 SMTP server, any mail with a different sender address than the email from the authenticated user itself will simply be denied. The above config prevents this.
The envelope sender is set by the mail client when sending mail; it is not a header and appears nowhere in the mail body.
Postfix, being an MTA, doesn't really care about From: headers, except insofar as it can rewrite them based on the envelope sender or some other rule, if you so desire.
This can be useful in situations where the internal postfix domain is not externally valid (such as user@localhost.localdomain
) to enable the recipient to respond to the message; the envelope sender is set as the Return-Path: header upon delivery of the message.
I've never seen a requirement to perform the inverse, i.e. change the envelope sender based on a From: header; since headers are trivially forged this would enable an easy spam target.
What you should do instead is the following:
- set up postfix to require submission as defined in RFC4409, using both TLS and SASL, for all locally submitted mail; see the commented-out example in master.cf.
- disallow submission of mail via the MTA port (25) by removing
permit_mynetworks
from smtpd_*_restrictions
.
- disallow submitting mail via the sendmail(1) command and all its derivatives via the
authorized_submit_users
parameter
- configure your application to use a dedicated login that will restrict the envelope sender via the smtpd_sender_login_maps parameter
- configure your application to set the proper envelope sender when submitting mail.
Best Answer
If You want to do re-write mail headers, you'll have to have postfix pass the mail through some program which does the re-writing. Have a look at documentation for something like policyd for how that interaction works.
However, I'm not convinced that what you're describing is a good idea, or helpful with spam. If you can't rely on the behaviour of authenticated users, then you need to do content filtering much as you'd do for mail coming in for mail from unknown sources coming to your users.