4

At work, I'm facing security risk with the mail sender spoofing. I have a relay mail server which accepts mail relay from all server subnets.

If an user in a normal server sends mail within command line:

user@server$ echo mail_content | mail -r [email protected] -s Important [email protected]

So basically, this guy can pretent to be anyone when sending email, which could lead to really big trouble

What I'm expecting is, even though running the above command, the recipient still get the mail with From: user@server

How can I do it in Postfix?

Edit: I forgot to add, the authentication method is Active Directory, not sure if it makes the configuration much complicated :)

xhienne
  • 17,075
  • 2
  • 52
  • 68
Shâu Shắc
  • 929
  • 1
  • 10
  • 11
  • 2
    Open mail relays expose a huge hole in the SMTP protocol (which was written when you could trust senders to say who they really were). There are many, long, explanations on how to [configure Postfix authentication](http://postfix.state-of-mind.de/patrick.koetter/smtpauth/) and all of are too large for StackExchange format. – msw Sep 11 '13 at 12:04
  • So +1 for a worthy question, and it can be done, there are just a bunch of trade-offs and choices that you need to make. This makes answering it here with "do this" kinda tough. – msw Sep 11 '13 at 12:07
  • I forgot to add, the authentication method is Active Directory, not sure if it makes the configuration much complicated :) – Shâu Shắc Sep 12 '13 at 01:59

1 Answers1

1

What I'm expecting is, even though running the above command, the recipient still get the mail with From: user@server

How can I do it in Postfix?

You don't. Although many people seem to believe that e-mail servers somehow check the Envelope From and From headers and magically prevent spoofing, they don't and they shouldn't, because that would break e-mail forwarding.

This is not different from snail mail - I could write you a letter and put "Bill Gates, One Microsoft Way, Redmond" as the sender on both the letter and the envelope, and the postal service would accept and deliver it to you nonetheless. The real world doesn't prevent sender spoofing, and neither does SMTP.

Community
  • 1
Martin von Wittich
  • 13,857
  • 6
  • 51
  • 74
  • You say they shouldn't and this would break email forwarding, but gmail SMTP servers already do this and have done for very many years. Sending as an authenticated user results in the email (RFC 822) headers being modified. – Philip Couling Jun 18 '19 at 21:34