I have an email server running Postfix that generally works great. I'm trying to use this server as the SMTP server for outgoing mail in a CRM/Marketing platform installation. I've entered the authentication credentials and it works fine. However, I can only use the mailbox that I'm authenticating with as the "from" address. If I try to use a different address (on the same domain) in a campaign, it fails to send and results in this error:
This message was undeliverable after 3 attempts due to the following reason: Error Message: Response from Server 220 server.com 250-server.com 250-PIPELINING 250-SIZE 26214400 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN 220 2.0.0 Ready to start TLS 250-server.com 250-PIPELINING 250-SIZE 26214400 250-ETRN 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN 334 VXNlcm5hbWU6 334 UGFzc3dvcmQ6 235 2.7.0 Authentication successful 250 2.1.0 Ok 553 5.7.1 : Sender address rejected: not owned by user info@server.com 250 2.0.0 Ok .
Is there a way to configure Postfix to allow me to send from any address on this one particular domain after authenticating with one account? Can I assign addresses to this user I'm authenticating with? I don't want to open this up on other domains, just this one particular domain I'm using for this CRM.
Thanks!
—
Here's what postconf -n
gives me:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
maximal_backoff_time = 1800s
maximal_queue_lifetime = 1d
message_size_limit = 26214400
milter_default_action = accept
milter_protocol = 6
minimal_backoff_time = 300s
mydestination = mail1.mydomain.com, localhost.mydomain.com, localhost
myhostname = mail1.mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 24h
postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7 bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4 dnsbl.sorbs.net=127.0.0.10*8 dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 zen.spamhaus.org=127.0.0.[10;11]*8 zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.4*1 hostkarma.junkemailfilter.com=127.0.1.2*1 wl.mailspike.net=127.0.0.[18;19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-2
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_ttl = 5m
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 2d
postscreen_greet_wait = 3s
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_mxdomain_maps.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
relayhost =
smtp_header_checks = pcre:/etc/postfix/mailcow_anonymize_headers.pcre
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_cert_file = /etc/ssl/mail/mail.crt
smtp_tls_key_file = /etc/ssl/mail/mail.key
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 10s
smtpd_hard_error_limit = ${stress?1}${stress:5}
smtpd_helo_required = yes
smtpd_proxy_timeout = 600s
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_helo_hostname, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname, reject_non_fqdn_helo_hostname, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org
smtpd_restriction_classes = z1_greylisting
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth_dovecot
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unlisted_sender, reject_unknown_sender_domain
smtpd_soft_error_limit = 3
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/mail/mail.crt
smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA
smtpd_tls_key_file = /etc/ssl/mail/mail.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_spamalias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail/
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_minimum_uid = 104
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000
z1_greylisting = permit_dnswl_client list.dnswl.org, check_policy_service inet:127.0.0.1:10023
Here's what mysql_virtual_sender_acl.cf
:
# mysql_virtual_sender_acl.cf
user = mailcow
password = password
hosts = localhost
dbname = mailcow
query = SELECT logged_in_as FROM sender_acl WHERE send_as='%s'
#expansion_limit = 100
And in mysql_virtual_alias_maps.cf
:
# mysql_virtual_alias_maps.cf
user = mailcow
password = password
hosts = localhost
dbname = mailcow
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'
#expansion_limit = 100
Best Answer
You can use reject_authenticated_sender_login_mismatch
Make users for test
Do some basic tests. As you can see without reject_authenticated_sender_login_mismatch user can use in MAIL FROM whatever he want
But after we have added the following lines
Do not forget to create map and restart the postfix
User can't use anymore whatever he wants
But with the settings above user1@example.net can use in MAIL FROM only: user1@example.net, info@example.net and no-reply@example.net
P.S. a little trick
if don't add any line for some specific user in the /etc/postfix/sender_logins_maps - he will receive an emails but won't send.
It's just a test. So to quick setup test environment I have choose sasldb. Because I don't have time to setup and configure MySQL. You are using MySQL to store all information about users. And your restrictions described here
You should add contents of the mysql_virtual_sender_acl.cf/mysql_virtual_alias_maps.cf (without password of course) to the question
in the /etc/postfix/sender_logins_maps you should have something like the following
Modify smtpd_sender_login_maps
The file /etc/postfix/sender_logins_maps should contain only one line
where @example.net - "one particular domain", user1@example.net - "authenticating with one account". It must be sasl_username!
Don't forget to create map and restart the postfix.