Question
How to restrict the field “From” mismatch and prevent outbound mail spoofing?
Answer
Warning: This solution may disrupt mail functionality, such as Plesk notifications, Postfix sendmail wrapper, or other features.
Note: Postfix 2.1 or newer is required for the “reject_sender_login_mismatch” restriction.
-
Connect to the server via SSH.
- Backup configuration files:
# cp -a /etc/postfix/main.cf{,.bak}
-
Change value of “smtpd_sender_restrictions” in
/etc/postfix/main.cf
so Postfix prevents sending messages if a logged-in mail user is different from the one written in “From” field:# postconf smtpd_sender_restrictions=”reject_sender_login_mismatch, `postconf -h smtpd_sender_restrictions`”
-
Add lookup key value for authentication ID in
/etc/postfix/main.cf
:# postconf smtpd_sender_login_maps=hash:/var/spool/postfix/plesk/virtual
-
Restart Postfix:
# service postfix restart
Note: The setting will be applied server-wide.
This configuration can be tested with the following commands:
# touch message
# curl -k –url “smtp://127.0.0.1” –mail-from “[email protected]” –mail-rcpt “[email protected]” –upload-file ./message –user ‘[email protected]:password’ –ssl
<…>
curl: (55) RCPT failed: 553
where “[email protected]” – forged “From” field.
“[email protected]” – any recipient.
“[email protected]” – mailbox from the server.