Re: Checking from-addresses on outbound mail

[Nick]

On 2020-08-30 22:33 BST, Wietse Venema wrote:
> Well almost: it needs a custom SMTP client to avoid loop detection.
> 
> /etc/postfix/master.cf:
>      pickup unix .. .. .. .. .. pickup
>         -o { content_filter = local-smtp:[localhost]:25 }
> 
>      local-smtp unix  .. .. .. .. .. smtp
>         -o { inet_interfaces = }
>         -o { myhostname = localhost }
> 
> Let me know if that does the job.

Yes I believe it does, thank you.  Though I have used a new smtpd
service because the one on port 25 checks mail from the internet but I
want one that checks mail from the mail server.

*** additions to master.cf
localhost:2525
          inet  n       -       y       -       -       smtpd
   -o cleanup_service_name=cleanup-outbound
   -o syslog_name=smtpd-sndmail
   # This is duplicated from part of the submission service:
   -o { smtpd_sender_restrictions =
          check_sender_access regexp:/etc/postfix/check-sender-access-outbound,
          reject_unverified_sender
      }

pickup    unix  n       -       y       60      1       pickup
   -o  { content_filter = smtp-sndmail:[localhost]:2525 }

smtp-sndmail
          unix -       -       y       -       -       smtp
   -o { inet_interfaces = }
   -o { myhostname = smtp-sndmail }
   -o { bounce_service_name = bounce-discard }

# This is shared with the submission service.
cleanup-outbound
          unix  n       -       y       -       0       cleanup
   -o header_checks=regexp:/etc/postfix/header-checks-outbound
   -o mime_header_checks=
   -o nested_header_checks=
   -o syslog_name=smtp-sndmaild
   -o bounce_service_name=bounce-discard

# Discards non-delivery notifications so they can't go to forged addresses.
bounce-discard
          unix  -       -       y       -       0       discard
   -o syslog_name=bounce-discard

*** Response to forged envelope-from
Sep  1 10:35:36 rolly postfix/pickup[7666]: 69CB9A0C16: uid=1000 
from=<badaddress@forged>
Sep  1 10:35:36 rolly postfix/cleanup[11375]: 69CB9A0C16: 
message-id=<20200901093536.gb10...@acrasis.net>
Sep  1 10:35:36 rolly postfix/qmgr[25533]: 69CB9A0C16: 
from=<badaddress@forged>, size=472, nrcpt=1 (queue active)
Sep  1 10:35:36 rolly smtpd-sndmail/smtpd[11386]: connect from localhost[::1]
Sep  1 10:35:36 rolly smtpd-sndmail/smtpd[11386]: NOQUEUE: reject: RCPT from 
localhost[::1]: 554 5.7.1 <badaddress@forged>: Sender address rejected: bogus 
domain; from=<badaddress@forged> to=<badaddress@forged> proto=ESMTP 
helo=<smtp-sndmail>
Sep  1 10:35:36 rolly postfix/smtp[11382]: 69CB9A0C16: to=<badaddress@forged>, 
relay=localhost[::1]:2525, delay=0.12, delays=0.05/0.02/0.02/0.03, dsn=5.7.1, 
status=bounced (host localhost[::1] said: 554 5.7.1 <badaddress@forged>: Sender 
address rejected: bogus domain (in reply to RCPT TO command))
Sep  1 10:35:36 rolly postfix/qmgr[25533]: 69CB9A0C16: removed
Sep  1 10:35:36 rolly bounce-discard/discard[11387]: warning: unexpected 
attribute nrequest from bounce-discard socket (expecting: flags)
Sep  1 10:35:36 rolly bounce-discard/discard[11387]: warning: 
deliver_request_get: error receiving common attributes
Sep  1 10:35:36 rolly smtp-sndmaild/cleanup[11388]: 84FB4A0C08: 
message-id=<20200901093536.84fb4a0...@mail.acrasis.net>
Sep  1 10:35:36 rolly postfix/qmgr[25533]: 84FB4A0C08: 
from=<double-bou...@mail.acrasis.net>, size=1077, nrcpt=1 (queue active)
Sep  1 10:35:36 rolly smtpd-sndmail/smtpd[11386]: disconnect from 
localhost[::1] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=4/6
[dovecot lines snipped]
Sep  1 10:35:36 rolly postfix/lmtp[11389]: 84FB4A0C08: 
to=<goodaddr...@acrasis.net>, orig_to=<postmaster>, 
relay=mail.acrasis.net[private/dovecot-lmtp], delay=0.09, 
delays=0.01/0.01/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 
<goodaddr...@acrasis.net> Y5j2IegVTl9+LAAAjtsq0A Saved)
Sep  1 10:35:36 rolly postfix/qmgr[25533]: 84FB4A0C08: removed

which I interpret as: smtpd-sndmail rejected the mail.  smtp-sndmail
sent a non-delivery notification which was discarded by bounce-discard
(with warnings that I assume do not matter).  smtp-sndmail also
notified the postmaster.

*** Response to good envelope-from but forged header-from
Sep  1 10:40:41 rolly postfix/pickup[7666]: 23E73A0C18: uid=1000 
from=<goodaddr...@acrasis.net>
Sep  1 10:40:41 rolly postfix/cleanup[13599]: 23E73A0C18: 
message-id=<20200901094041.23e73a0...@mail.acrasis.net>
Sep  1 10:40:41 rolly postfix/qmgr[25533]: 23E73A0C18: 
from=<goodaddr...@acrasis.net>, size=581, nrcpt=1 (queue active)
Sep  1 10:40:41 rolly smtpd-sndmail/smtpd[13605]: connect from localhost[::1]
Sep  1 10:40:41 rolly smtpd-sndmail/smtpd[13605]: 3B7C3A0BAB: 
client=localhost[::1]
Sep  1 10:40:41 rolly smtp-sndmaild/cleanup[13606]: 3B7C3A0BAB: hold: header 
From: badaddress@forged from localhost[::1]; from=<goodaddr...@acrasis.net> 
to=<goodaddr...@acrasis.net> proto=ESMTP helo=<smtp-sndmail>: Header-from is 
spoofed.
Sep  1 10:40:41 rolly smtp-sndmaild/cleanup[13606]: 3B7C3A0BAB: 
message-id=<20200901094041.23e73a0...@mail.acrasis.net>
Sep  1 10:40:41 rolly postfix/smtp[13604]: 23E73A0C18: 
to=<goodaddr...@acrasis.net>, orig_to=<a...@acrasis.net>, 
relay=localhost[::1]:2525, delay=0.13, delays=0.06/0.03/0.02/0.03, dsn=2.0.0, 
status=sent (250 2.0.0 Ok: queued as 3B7C3A0BAB)
Sep  1 10:40:41 rolly postfix/qmgr[25533]: 23E73A0C18: removed
Sep  1 10:40:41 rolly smtpd-sndmail/smtpd[13605]: disconnect from 
localhost[::1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

which I interpret as: smtpd-sndmail accepted the mail, then
cleanup-sndmail placed the mail into the hold queue.  Nothing was
sent.

It's now impossible, I think, for either a local or a submission user
to send mail without a valid address in $mydomain in both the
envelope- and header-from.  Thanks, comments welcome.
-- 
Nick