Overview
This article provides instructions for configuring Postfix to prevent authenticated users from sending emails with a From: address that does not match their authenticated login credentials. Implementing this restriction helps mitigate email spoofing and enforces sender authenticity within your mail environment.
Note: This procedure is intended for experienced system administrators.
Prerequisites
- Root or sudo access to the server
- Postfix mail transfer agent installed (Plesk default configuration)
- Command-line interface access
Configuration Steps
- Open the Postfix main configuration file located at /etc/postfix/main.conf using a text editor.
- Locate the smtpd_sender_restrictions parameter. Modify the value to include reject_authenticated_sender_login_mismatch immediately before the permit_sasl_authenticated directive.
Default Plesk configuration:
Updated configuration:smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticatedsmtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated - Save and close the file.
- Configure the required sender login map by executing the following command:
postconf -e "smtpd_sender_login_maps = hash:/var/spool/postfix/plesk/virtual" - Apply the changes by reloading the Postfix service:
postfix reload
Verification & Testing
To verify that the restriction is functioning correctly, perform a test transmission using an authenticated user attempting to spoof a different sender address.
- Create a sample email file:
echo "this is a test" > message - Execute the following command, replacing test@example.com with a valid local mailbox and password with the corresponding user credentials:
curl -k --url "smtp://127.0.0.1" --mail-from "spoofing@example.com" --mail-rcpt "test@example.com" --upload-file ./message --user 'test@example.com:password' --ssl - A successful restriction will return the following error:
curl: (55) RCPT failed: 553 - Verify the rejection in the mail logs. Navigate to Warden > Logs > Reject log and confirm the presence of the following entry:
<spoofing@example.com>: Sender address rejected: not owned by user test@example.com
Troubleshooting
- Restriction not applying: Verify that reject_authenticated_sender_login_mismatch is positioned correctly within the smtpd_sender_restrictions list. Postfix evaluates restrictions sequentially, and placement before permit_sasl_authenticated is critical.
- Map file errors: Ensure the smtpd_sender_login_maps parameter points to a valid hash database file. If necessary, regenerate the map by running
postmap /var/spool/postfix/plesk/virtual. - Service reload failures: Check system mail logs for syntax errors or configuration conflicts during the Postfix reload process.