Restrict sender email address to authenticated linux user

C

CanadaGuy

Verified User
Joined
Nov 14, 2019
Messages
158
Most email clients have the ability to create multiple identities or send from addresses. On my Postfix/Dovecot server, I was able to configure a setting so that any emails with a from address (envelope address?) that is not associated (by means of an appropriate virtual account mapping) to their local linux user account would be rejected when sending, and Roundcube would throw an error indicating this.

How can I do this with Exim on DirectAdmin? I've dug around and came up with these which are related, but I don't think address this particular issue:

Can not prevent spoof mails.

I want to block unauthorized senders to send spam mails like [email protected] to [email protected] How can I block these senders? I tried: require verify = sender/callout But still recieve them. Any suggestion?
forum.directadmin.com forum.directadmin.com

[Issue] Server accept email without SMTP Auth

Hi all, These few months, lot of client report that there are a lot of scam email saying their email account has been hacked and looking for bitcoin payment. Those email header said it sent by client email (e.g. [email protected]) and sent to client email as well. It is strange that email server...
forum.directadmin.com forum.directadmin.com

DA sending mail from wrong email address

I don't know exactly since when this is happening, but some time ago this problem did not occur. When users create an account via my hosting script, all goes well. But when I login to my reseller account and create a new user account, the login credentials will also be send to my customer. So...
forum.directadmin.com forum.directadmin.com

My limited understand I think stems from authentication being required on my Postfix server. Note: I'm not talking about receiving email from a spoofed address, I mean sending email through the DA email server from Roundcube on the same server. These are the settings I'm using on Postfix:

* Restrict sending to alias mappings
sudo postconf -e 'smtpd_sender_login_maps=hash:/etc/postfix/virtual'
sudo postconf -e 'smtpd_sender_restrictions=reject_sender_login_mismatch'

I'm assuming this requires/forces authentication to be done when sending, even if the server is local.
 
Please try adding this to /etc/exim.acl_check_message.pre.conf:
Code: 
deny
  authenticated = *
  condition = ${if or {{ !eqi{$authenticated_id} {$sender_address} }\
                       { !eqi{$authenticated_id} {${address:$header_From:}} }\
                     }\
                     }
  message = From address must match your authenticated email user.

Restart exim after.
 
Thank! After some experimentation, I think I phrased my question poorly. Your recommended code works to restricts sent email to have the from/sender match the account logged into RoundCube (and I assume remote SMTP as well?)

I think what I want might be an extension of this...can a domain owner create aliases for addresses, such that [email protected] could send emails from [email protected] as well, without needing a separate account or login? Emails to [email protected] should be delivered to [email protected].

Is there a variable or expression that I can use to check the from/sender address against configured email forwarding? The forwarder takes care of receiving mail, and this unknown expression would take care of sending mail from a forwarded address.
 
Last edited:
Try this:
Code: 
deny
  authenticated = *
  condition = ${if or {{ !eqi{${domain:$authenticated_id}} {$sender_address_domain} }\
    { !eqi{${domain:{$authenticated_id}} {${domain:{${address:$header_From:}}} }\
  }\
  }
  message = Sender domain ( $sender_address_domain ) must match your domain name used in authenticated email user ( $authenticated_id ).
 
Thanks, I'll need to work through the logic to what is happening there. Can you point me to a good primer on this particular Exim feature you're using? It looks like I can just write my own rules, which is fine with me.

The "/etc/exim.acl_check_message.pre.conf " file you had me put this in originally, is that persistent through Exim builds and updates?
 
Yes, that file is persistent (custom include), so, you may safely add the code there. It’s basic exim syntax :)
 
smtalk said:
Yes, that file is persistent (custom include), so, you may safely add the code there. It’s basic exim syntax :)
Click to expand...

Thanks. I struggled through setting up Postfix from scratch, since Exim looked far more challenging, and here I am back at Exim :p I'll dig into exim syntax today at some point.

How do you specify the custom includes for Exim in DA?
 
Where in DA would I find the list of configured email forwarders for a domain (programmatically)?
 
So I came up with this which tries to match the send address to the authenticated user or look for a matching entry in the forwarding/alias table

Code: 
${if !or \
    { \
         {eqi{$authenticated_id} {$sender_address}} \
         {eqi{$authenticated_id} {${address:$header_From:}}} \
         {eqi{$authenticated_id} {${lookup{${local_part:$sender_address}}lsearch{/etc/virtual/${domain:$sender_address}/aliases}}}} \
         {eqi{$authenticated_id} {${lookup{${local_part:${address:$header_From:}}}lsearch{/etc/virtual/${domain:${address:$header_From:}}/aliases}}}} \
    } \
}

I still need to allow the condition for matching where a user authenticated with one local domain, but is sending from another local domain.
 
You must log in or register to reply here.
Back
Top