How can I restrict the "From:" field for emails to prevent outbound mail spoofing?

Overview

This article provides instructions for configuring Postfix to prevent authenticated users from sending emails with a From: address that does not match their authenticated login credentials. Implementing this restriction helps mitigate email spoofing and enforces sender authenticity within your mail environment.

Note: This procedure is intended for experienced system administrators.

Prerequisites

  • Root or sudo access to the server
  • Postfix mail transfer agent installed (Plesk default configuration)
  • Command-line interface access

Configuration Steps

  1. Open the Postfix main configuration file located at /etc/postfix/main.conf using a text editor.
  2. Locate the smtpd_sender_restrictions parameter. Modify the value to include reject_authenticated_sender_login_mismatch immediately before the permit_sasl_authenticated directive.

    Default Plesk configuration:
    smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
    Updated configuration:
    smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated
  3. Save and close the file.
  4. Configure the required sender login map by executing the following command:
    postconf -e "smtpd_sender_login_maps = hash:/var/spool/postfix/plesk/virtual"
  5. Apply the changes by reloading the Postfix service:
    postfix reload

Verification & Testing

To verify that the restriction is functioning correctly, perform a test transmission using an authenticated user attempting to spoof a different sender address.

  1. Create a sample email file:
    echo "this is a test" > message
  2. Execute the following command, replacing test@example.com with a valid local mailbox and password with the corresponding user credentials:
    curl -k --url "smtp://127.0.0.1" --mail-from "spoofing@example.com" --mail-rcpt "test@example.com" --upload-file ./message --user 'test@example.com:password' --ssl
  3. A successful restriction will return the following error:
    curl: (55) RCPT failed: 553
  4. Verify the rejection in the mail logs. Navigate to Warden > Logs > Reject log and confirm the presence of the following entry:
    <spoofing@example.com>: Sender address rejected: not owned by user test@example.com

Troubleshooting

  • Restriction not applying: Verify that reject_authenticated_sender_login_mismatch is positioned correctly within the smtpd_sender_restrictions list. Postfix evaluates restrictions sequentially, and placement before permit_sasl_authenticated is critical.
  • Map file errors: Ensure the smtpd_sender_login_maps parameter points to a valid hash database file. If necessary, regenerate the map by running postmap /var/spool/postfix/plesk/virtual.
  • Service reload failures: Check system mail logs for syntax errors or configuration conflicts during the Postfix reload process.
  • spoofing
  • 1 Benutzer fanden dies hilfreich
War diese Antwort hilfreich?

Verwandte Artikel

How can I install or upgrade the extension?

We provide free installation and configuration for all our paid licenses. Open a support ticket...

How can I add stronger Postfix restrictions so that the bulk of spam is rejected at the SMTPD level before it gets processed by Amavis?

Overview Warden enables administrators to enforce stricter Postfix SMTPD restrictions. These...

How can I change the interface language of the extension?

Overview This article provides instructions on how to change the interface language within the...

How can I configure greylisting with Warden Anti-spam and Virus protection?

Overview Greylisting is an email filtering mechanism designed to mitigate spam by temporarily...