Mohammad Isargar: > Hi there, > > We have a situation where Postfix installed with a single domain, serving a > subnet of local LAN users and SASL authentication enforced in order to send > emails. > > Even though that we know that the actual sender can be found by checking > full email headers, but one of our security requirements is that the > "local" senders should not be able to use an arbitrary From: header to send > emails, and the value of this header must be the same as MAIL FROM (or > envelope) address. > > Is any solution around this with Postfix?
This may be done with a Milter that replaces the From: header (or takes some other action) when the From: address differs from the envelope address. This looks only at the envelope sender and the message header, and the performance impact should be small. Milters can be implemented in Python (pymilter), Perl (Sendmail::Milter), and in a variety of other languages. For a catalog of Milters see https://www.milter.org/milters It can also be done with an SMTP-based content filter, but there is more potential for making mistakes because you have full access to everything. Wietse
