You can use reject_authenticated_sender_login_mismatch
Make users for test
# saslpasswd2 -c -u example.net user1
# saslpasswd2 -c -u example.com user2
# sasldblistusers2
user2@example.com: userPassword
user1@example.net: userPassword
Do some basic tests. As you can see without reject_authenticated_sender_login_mismatch user can use in MAIL FROM whatever he want
# echo "Hello world" | swaks -s 127.0.0.1 --from user1@example.net --to user2@example.com --h-Subject "Test" --auth PLAIN --auth-user user1 --auth-password 1234567 --body -
=== Trying 127.0.0.1:25...
=== Connected to 127.0.0.1.
<- 220 mail.example.net ESMTP Postfix
-> EHLO svn.example.net
<- 250-mail.example.net
<- 250-PIPELINING
<- 250-SIZE 10240000
<- 250-VRFY
<- 250-ETRN
<- 250-AUTH LOGIN PLAIN
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250 DSN
-> AUTH PLAIN AHVzZXIxADEyMzQ1Njc=
<- 235 2.7.0 Authentication successful
-> MAIL FROM:<user1@example.net>
<- 250 2.1.0 Ok
-> RCPT TO:<user2@example.com>
<- 250 2.1.5 Ok
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Thu, 25 Feb 2016 20:53:45 +0000
-> To: user2@example.com
-> From: user1@example.net
-> Subject: Test
-> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
->
-> Hello world
->
->
-> .
<- 250 2.0.0 Ok: queued as E1D3D406CC
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.
# grep E1D3D406CC /var/log/maillog
Feb 25 20:53:45 svn postfix/smtpd[56996]: E1D3D406CC: client=localhost[127.0.0.1], sasl_method=PLAIN, sasl_username=user1@example.net
Feb 25 20:53:45 svn postfix/cleanup[56999]: E1D3D406CC: message-id=<20160225205345.E1D3D406CC@mail.example.net>
Feb 25 20:53:45 svn postfix/qmgr[56990]: E1D3D406CC: from=<user1@example.net>, size=416, nrcpt=1 (queue active)
Feb 25 20:53:45 svn postfix/local[57000]: E1D3D406CC: to=<user2@example.com>, relay=local, delay=0.03, delays=0.02/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
Feb 25 20:53:45 svn postfix/qmgr[56990]: E1D3D406CC: removed
# echo "Hello world" | swaks -s 127.0.0.1 --from non_exist-reply@example.net --to user2@example.com --h-Subject "Test" --auth PLAIN --auth-user user1 --auth-password 1234567 --body -
=== Trying 127.0.0.1:25...
=== Connected to 127.0.0.1.
<- 220 mail.example.net ESMTP Postfix
-> EHLO svn.example.net
<- 250-mail.example.net
<- 250-PIPELINING
<- 250-SIZE 10240000
<- 250-VRFY
<- 250-ETRN
<- 250-AUTH LOGIN PLAIN
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250 DSN
-> AUTH PLAIN AHVzZXIxADEyMzQ1Njc=
<- 235 2.7.0 Authentication successful
-> MAIL FROM:<non_exist_user@example.net>
<- 250 2.1.0 Ok
-> RCPT TO:<user2@example.com>
<- 250 2.1.5 Ok
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Thu, 25 Feb 2016 20:55:13 +0000
-> To: user2@example.com
-> From: non_exist_user@example.net
-> Subject: Test
-> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
->
-> Hello world
->
->
-> .
<- 250 2.0.0 Ok: queued as 94CBF4076C
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.
# grep 94CBF4076C /var/log/maillog
Feb 25 20:55:13 svn postfix/smtpd[56996]: 94CBF4076C: client=localhost[127.0.0.1], sasl_method=PLAIN, sasl_username=user1@example.net
Feb 25 20:55:13 svn postfix/cleanup[56999]: 94CBF4076C: message-id=<20160225205513.94CBF4076C@mail.example.net>
Feb 25 20:55:13 svn postfix/qmgr[56990]: 94CBF4076C: from=<non_exist_user@example.net>, size=424, nrcpt=1 (queue active)
Feb 25 20:55:13 svn postfix/local[57000]: 94CBF4076C: to=<user2@example.com>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Feb 25 20:55:13 svn postfix/qmgr[56990]: 94CBF4076C: removed
But after we have added the following lines
# /etc/postfix/main.cf
smtpd_sender_login_maps = hash:/etc/postfix/sender_logins_maps
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
Do not forget to create map and restart the postfix
# postmap /etc/postfix/sender_logins_maps
# service postfix restart
# cat /etc/postfix/sender_logins_maps
user1@example.net user1@example.net
info@example.net user1@example.net
no-reply@example.net user1@example.net
User can't use anymore whatever he wants
# echo "Hello world" | swaks -s 127.0.0.1 --from non_exit_user@example.net --to user2@example.com --h-Subject "Test" --auth PLAIN --auth-user user1 --auth-password 1234567 --body -
=== Trying 127.0.0.1:25...
=== Connected to 127.0.0.1.
<- 220 mail.example.net ESMTP Postfix
-> EHLO svn.example.net
<- 250-mail.example.net
<- 250-PIPELINING
<- 250-SIZE 10240000
<- 250-VRFY
<- 250-ETRN
<- 250-AUTH LOGIN PLAIN
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250 DSN
-> AUTH PLAIN AHVzZXIxADEyMzQ1Njc=
<- 235 2.7.0 Authentication successful
-> MAIL FROM:<non_exit_user@example.net>
<- 250 2.1.0 Ok
-> RCPT TO:<user2@example.com>
<** 553 5.7.1 <non_exit_user@example.net>: Sender address rejected: not owned by user user1
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.
But with the settings above user1@example.net can use in MAIL FROM only: user1@example.net, info@example.net and no-reply@example.net
# echo "Hello world" | swaks -s 127.0.0.1 --from no-reply@example.net --to user2@example.com --h-Subject "Test" --auth PLAIN --auth-user user1@example.net --auth-password 1234567 --body -
=== Trying 127.0.0.1:25...
=== Connected to 127.0.0.1.
<- 220 mail.example.net ESMTP Postfix
-> EHLO svn.example.net
<- 250-mail.example.net
<- 250-PIPELINING
<- 250-SIZE 10240000
<- 250-VRFY
<- 250-ETRN
<- 250-AUTH LOGIN PLAIN
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250 DSN
-> AUTH PLAIN AHVzZXIxQGV4YW1wbGUubmV0ADEyMzQ1Njc=
<- 235 2.7.0 Authentication successful
-> MAIL FROM:<no-reply@example.net>
<- 250 2.1.0 Ok
-> RCPT TO:<user2@example.com>
<- 250 2.1.5 Ok
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Thu, 25 Feb 2016 23:03:07 +0000
-> To: user2@example.com
-> From: no-reply@example.net
-> Subject: Test
-> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
->
-> Hello world
->
->
-> .
<- 250 2.0.0 Ok: queued as 9FE524068A
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.
# grep 9FE524068A /var/log/maillog
Feb 25 23:03:07 svn postfix/smtpd[19097]: 9FE524068A: client=localhost[127.0.0.1], sasl_method=PLAIN, sasl_username=user1@example.net
Feb 25 23:03:07 svn postfix/cleanup[19100]: 9FE524068A: message-id=<20160225230307.9FE524068A@mail.example.net>
Feb 25 23:03:07 svn postfix/qmgr[19092]: 9FE524068A: from=<no-reply@example.net>, size=419, nrcpt=1 (queue active)
Feb 25 23:03:07 svn postfix/local[19101]: 9FE524068A: to=<user2@example.com>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Feb 25 23:03:07 svn postfix/qmgr[19092]: 9FE524068A: removed
P.S.
a little trick
if don't add any line for some specific user in the /etc/postfix/sender_logins_maps - he will receive an emails but won't send.
I can't seem to run saslauthd. It says command not found. Is that a separate utility? EDIT: Sorry I meant to say testsaslauthd. Neither work
It's just a test. So to quick setup test environment I have choose sasldb. Because I don't have time to setup and configure MySQL. You are using MySQL to store all information about users. And your restrictions described here
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
You should add contents of the mysql_virtual_sender_acl.cf/mysql_virtual_alias_maps.cf (without password of course) to the question
Is there a way to configure Postfix to allow me to send from any address on this one particular domain after authenticating with one account?
in the /etc/postfix/sender_logins_maps you should have something like the following
@example.net user1@example.net
Modify smtpd_sender_login_maps
smtpd_sender_login_maps =
hash:/etc/postfix/sender_logins_maps,
proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
The file /etc/postfix/sender_logins_maps should contain only one line
@example.net user1@example.net
where @example.net - "one particular domain", user1@example.net - "authenticating with one account". It must be sasl_username!
sasl_method=PLAIN, sasl_username=user1@example.net
Don't forget to create map and restart the postfix.
Best Answer
The answer in this case seems to have been that the support system sends mails with duplicate IDs, one for the message, and one for the change of ticket status, and Zimbra's default action is not to deliver duplicate mails. The answer was therefore to run
as the zimbra user and restart the mailbox daemon:
Delivery seems a lot more successful now and it did make sense as an issue in this case. The function isn't documented officially as far as I can see.