Hello !
I have a OpenBSD 7.2 with OpenSMTPD+rspamd+postgresql+dovecot setup with
virtuals (users and domains) and credentials in a postgresql database.
I was wondering if it was possible in a filter on the smtpd side to
prevent users to forge "From" headers with addresses that doesn't enter
the scope of RFC 5233 or other aliases in the database.
So if i was sending a mail as authenticated [email protected], i could
send with [email protected] or [email protected] (or
[email protected] if i had an alias in db which
pointed to [email protected]) but not [email protected] or
[email protected].
I saw in another thread in Archives a configuration with "mask-src
senders <users>" and saw in the opensmtpd.conf man page :
```
senders<users> [masquerade]
Look up the authenticated user in the usersmapping
table
to find the email addresses that user is allowed to
submit mail as. In addition, if the
masqueradeoption is
provided, the From header is rewritten to match the
sender provided in the SMTP session.
```
Do i need to make a separate table for this ?
Currently i have 3 tables in my pgsql db : credentials, domains, virtuals
The layout of tables are like this :
credentials : id,email,password
domains : id,domain
virtuals : id,email,destination
Here is my config :
*smtpd.conf :*
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
srs key REDACTED
srs key backup REDACTED
## Certs
pki gamindustri.fr cert "REDACTED"
pki gamindustri.fr key "REDACTED"
table domains postgres:/etc/mail/pgsql.conf
table virtuals postgres:/etc/mail/pgsql.conf
table passwd postgres:/etc/mail/pgsql.conf
table blacklist file:/etc/mail/blacklist.table
table sympa file:/etc/mail/sympa.table
filter "rdns" phase connect match !rdns disconnect "550 Incorrect
rDNS error"
filter "fcrdns" phase connect match !fcrdns disconnect "550 Incorrect
fcrDNS error"
filter "rspamd" proc-exec "filter-rspamd"
filter "spam" phase rcpt-to match rcpt-to <blacklist> disconnect "550
You've been rate limited, please wait an hour."
## Ports to listen on, and how to listen on them
listen on lo0 port 25
listen on egress port 25 tls pki gamindustri.fr hostname
compa.gamindustri.fr filter { "rdns", "fcrdns", "rspamd", "spam" }
listen on egress port 465 smtps pki gamindustri.fr hostname
compa.gamindustri.fr mask-src auth <passwd> filter "rspamd"
listen on egress port submission tls-require pki gamindustri.fr hostname
compa.gamindustri.fr mask-src auth <passwd> filter "rspamd"
action "dovecotFinal" lmtp "/var/dovecot/lmtp" rcpt-to virtual <virtuals>
action "send" relay srs
action "send-to-sympa" relay host smtp://[REDACTED] srs
match from any for domain <domains> rcpt-to <sympa> action "send-to-sympa"
match from src 2001:41d0:fc1e:bd00:84b0:83ff:fe1b:8372 action "send"
match from any for domain <domains> action "dovecotFinal"
match from auth for any action "send"
match from local for any action "send"
*pgsql.conf :*
# PostgreSQL
conninfo host='/tmp' dbname='vmail' user='_smtpd'
query_alias SELECT destination FROM virtuals WHERE email=$1;
query_credentials SELECT email, password FROM credentials WHERE email=$1;
query_domain SELECT domain FROM domains WHERE domain=$1;
