Re: how to prevent post-auth sender spoofing

From: Daniel Black <>
Date: Sat, 29 May 2010 12:27:01 +1000

On Friday 28 May 2010 12:58:18 Josephus wrote:
> Hi,
> I'm trying to deploy dkim into a multi/virtualdomain environment where
> users send emails via sasl authentication. A common MTA setup doesn't
> check for sender address after the authentication is done.

are you talking about the From: header field or the envelope address?

Envelope is a easy to deal with in the MTA (as below).

> Once I'm
> authenticated I can send mails using anything as the sender.
> So once a user is allowed to send, they would select an email address
> that's also on the system (on someone else's domain), the message will
> be signed with dkim, because the sender domain matches a key in the
> database. The receiving end will trust in the dkim signature however the
> whole message was forged from the beginning.

good point.

I think your options are:

2. setting a smtp transport (in for every virtual domain that each
has its own header_checks with a pcre map ensuring the From header field
address is right.

Then sent a sender_dependent_default_transport_maps for each virtual domain to
the transport with the header checks.

> I know it's not really a dkim issue, but you might have dealt with the
> situation before. Using Postfix I have thought about restricting sender
> addresses to the sasl authenticated username, but that would kill the
> feature where you can set up multiple identities in your MUA for all
> your aliases.

not quite. here's a solution smtpd_sender_login_maps. It doesn't fix From
header fields but can be used with the ideas above.

$ postmap -q lists-admin mysql:/etc/postfix/

This maps-alias maps it such that christopher and daniel can send as the alias


smtpd_sender_login_maps = proxy:mysql:/etc/postfix/

smtpd_restriction_classes = permit_out

permit_out = permit_mynetworks

smtpd_sender_restrictions =
        check_sender_access hash:/etc/postfix/sender_access

also the following is useful:
smtpd_sasl_authenticated_header = yes

> Not to mention that we have some internal hosts for which we do not
> require authentication (such as webservers).

you could set them up with a sasl client auth. It depends if you've got
control over forgery on those servers.

> Thanks for your advice
> Jos.
Received on Sat May 29 2010 - 02:28:47 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:47 PST