Force matching envelop MAIL FROM and "From" header

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Force matching envelop MAIL FROM and "From" header

lst_hoe02
Hello

is it possible to force a matching "From" header in the mail if  
reject_sender_login_mismatch is used so the "From" header is the same  
as the checked MAIL FROM address? The goal is to prevent spoofing of  
the "From" header for SASL authenticated clients.

Many Thanks

Andreas

smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Force matching envelop MAIL FROM and "From" header

Wietse Venema
[hidden email]:
> Hello
>
> is it possible to force a matching "From" header in the mail if  
> reject_sender_login_mismatch is used so the "From" header is the same  
> as the checked MAIL FROM address? The goal is to prevent spoofing of  
> the "From" header for SASL authenticated clients.

Yes, but only with external software (Milter or content filter).

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Force matching envelop MAIL FROM and "From" header

lst_hoe02
Zitat von Wietse Venema <[hidden email]>:

> [hidden email]:
>> Hello
>>
>> is it possible to force a matching "From" header in the mail if
>> reject_sender_login_mismatch is used so the "From" header is the same
>> as the checked MAIL FROM address? The goal is to prevent spoofing of
>> the "From" header for SASL authenticated clients.
>
> Yes, but only with external software (Milter or content filter).
>
> Wietse

That's what i was afraid of. My idea was to use header-checks to drop  
the "From:" header and let it add from cleanup again but  
http://www.postfix.org/header_checks.5.html says

        Message  headers added by the cleanup(8) daemon itself are
        excluded from inspection. Examples of such message headers
        are From:, To:, Message-ID:, Date:.

:-(


Regards

Andreas





smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Force matching envelop MAIL FROM and "From" header

Noel Jones-2
On 12/2/2009 7:34 AM, [hidden email] wrote:

> Zitat von Wietse Venema <[hidden email]>:
>
>> [hidden email]:
>>> Hello
>>>
>>> is it possible to force a matching "From" header in the mail if
>>> reject_sender_login_mismatch is used so the "From" header is the same
>>> as the checked MAIL FROM address? The goal is to prevent spoofing of
>>> the "From" header for SASL authenticated clients.
>>
>> Yes, but only with external software (Milter or content filter).
>>
>> Wietse
>
>
> That's what i was afraid of. My idea was to use header-checks to drop
> the "From:" header and let it add from cleanup again but

Yes, that will work -- ugly, but it will work.  You'll need to
use the submission port with it's own header_checks (via it's
own cleanup service) since header_checks can't tell by itself
if the user has authenticated.  Note the From: header added by
cleanup will contain only the envelope address.

> http://www.postfix.org/header_checks.5.html says
>
> Message headers added by the cleanup(8) daemon itself are
> excluded from inspection. Examples of such message headers
> are From:, To:, Message-ID:, Date:.

That refers to a missing header that has been added to the
current message by cleanup, not a pre-existing header with the
same name.

>
> :-(
>

    :-)

   -- Noel Jones