Restrict sender email address to authenticated linux user

CanadaGuy

Verified User
Joined
Nov 14, 2019
Messages
105
Most email clients have the ability to create multiple identities or send from addresses. On my Postfix/Dovecot server, I was able to configure a setting so that any emails with a from address (envelope address?) that is not associated (by means of an appropriate virtual account mapping) to their local linux user account would be rejected when sending, and Roundcube would throw an error indicating this.

How can I do this with Exim on DirectAdmin? I've dug around and came up with these which are related, but I don't think address this particular issue:


My limited understand I think stems from authentication being required on my Postfix server. Note: I'm not talking about receiving email from a spoofed address, I mean sending email through the DA email server from Roundcube on the same server. These are the settings I'm using on Postfix:

* Restrict sending to alias mappings
sudo postconf -e 'smtpd_sender_login_maps=hash:/etc/postfix/virtual'
sudo postconf -e 'smtpd_sender_restrictions=reject_sender_login_mismatch'

I'm assuming this requires/forces authentication to be done when sending, even if the server is local.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,347
Location
LT, EU
Please try adding this to /etc/exim.acl_check_message.pre.conf:
Code:
deny
  authenticated = *
  condition = ${if or {{ !eqi{$authenticated_id} {$sender_address} }\
                       { !eqi{$authenticated_id} {${address:$header_From:}} }\
                     }\
                     }
  message = From address must match your authenticated email user.
Restart exim after.
 

CanadaGuy

Verified User
Joined
Nov 14, 2019
Messages
105
Thank! After some experimentation, I think I phrased my question poorly. Your recommended code works to restricts sent email to have the from/sender match the account logged into RoundCube (and I assume remote SMTP as well?)

I think what I want might be an extension of this...can a domain owner create aliases for addresses, such that me@domain.com could send emails from sales@domain.com as well, without needing a separate account or login? Emails to sales@domain.com should be delivered to me@domain.com.

Is there a variable or expression that I can use to check the from/sender address against configured email forwarding? The forwarder takes care of receiving mail, and this unknown expression would take care of sending mail from a forwarded address.
 
Last edited:

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,347
Location
LT, EU
Try this:
Code:
deny
  authenticated = *
  condition = ${if or {{ !eqi{${domain:$authenticated_id}} {$sender_address_domain} }\
    { !eqi{${domain:{$authenticated_id}} {${domain:{${address:$header_From:}}} }\
  }\
  }
  message = Sender domain ( $sender_address_domain ) must match your domain name used in authenticated email user ( $authenticated_id ).
 

CanadaGuy

Verified User
Joined
Nov 14, 2019
Messages
105
Thanks, I'll need to work through the logic to what is happening there. Can you point me to a good primer on this particular Exim feature you're using? It looks like I can just write my own rules, which is fine with me.

The "/etc/exim.acl_check_message.pre.conf " file you had me put this in originally, is that persistent through Exim builds and updates?
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,347
Location
LT, EU
Yes, that file is persistent (custom include), so, you may safely add the code there. It’s basic exim syntax :)
 

CanadaGuy

Verified User
Joined
Nov 14, 2019
Messages
105
Yes, that file is persistent (custom include), so, you may safely add the code there. It’s basic exim syntax :)
Thanks. I struggled through setting up Postfix from scratch, since Exim looked far more challenging, and here I am back at Exim :p I'll dig into exim syntax today at some point.

How do you specify the custom includes for Exim in DA?
 

CanadaGuy

Verified User
Joined
Nov 14, 2019
Messages
105
Where in DA would I find the list of configured email forwarders for a domain (programmatically)?
 

CanadaGuy

Verified User
Joined
Nov 14, 2019
Messages
105
So I came up with this which tries to match the send address to the authenticated user or look for a matching entry in the forwarding/alias table

Code:
${if !or \
    { \
         {eqi{$authenticated_id} {$sender_address}} \
         {eqi{$authenticated_id} {${address:$header_From:}}} \
         {eqi{$authenticated_id} {${lookup{${local_part:$sender_address}}lsearch{/etc/virtual/${domain:$sender_address}/aliases}}}} \
         {eqi{$authenticated_id} {${lookup{${local_part:${address:$header_From:}}}lsearch{/etc/virtual/${domain:${address:$header_From:}}/aliases}}}} \
    } \
}
I still need to allow the condition for matching where a user authenticated with one local domain, but is sending from another local domain.
 
Top