Re: Authenticating 'From' header to match envelope

2018-10-03 Thread Tobi 
> when in Thunderbird someone uses the "Custom From Address" feature, it
> doesn't change the envelope sender, but only the actual "From" header
> field

are you sure? I just tested with my TB (60.0) under Linux (Fedora 28)
and found that both (envelope from and from header) are changed to the
value I defined in "custom from address"

Btw: at least the Thunderbird question should go to a thunderbird
mailing list. Not really a postfix issue here :-)

Cheers

tobi

Am 03.10.18 um 17:33 schrieb Stefan Bauer:
> Johannes,
> 
> did you double check if your planned setup will not break other things?
> 
> Have similar needs but am not yet deep enough into mail to see possible
> pitfalls.
> 
> Stefan
> 
> Am Dienstag, 2. Oktober 2018 schrieb Johannes Bauer :
>> Hi list,
>>
>> I'm having an issue with my Postfix configuration: Currently I've it set
>> up so that one authentication SASL login (e.g., m...@foo.com
> ) supports
>> multiple virtual email addresses (e.g., m...@foo.com
>  but also
>> f...@foo.com , b...@foo.com ).
>>
>> Once authenticated with m...@foo.com , the
> envelope sender ("MAIL FROM")
>> is restricted to only the permissible variants.
>>
>> However, as I've now painfully found out, when in Thunderbird someone
>> uses the "Custom From Address" feature, it doesn't change the envelope
>> sender, but only the actual "From" header field. This means, I have the
>> following situation:
>>
>> Auth: m...@foo.com 
>> Envelope from: m...@foo.com 
>> Header 'From': anyth...@goes.com 
>>
>> One of my customers used a gmail address in the header "From", sent an
>> email to @hotmail.com  and now my mailserver is
> permablocked at Microsoft
>> for bad reputation.
>>
>> How can I ensure in the future that the same checks are applied to the
>> Header "From" field that are also applied to the evelope "From" field?
>>
>> Thanks,
>> Johannes
>>

Re: Authenticating 'From' header to match envelope

2018-10-03 Thread Stefan Bauer 
Johannes,

did you double check if your planned setup will not break other things?

Have similar needs but am not yet deep enough into mail to see possible
pitfalls.

Stefan

Am Dienstag, 2. Oktober 2018 schrieb Johannes Bauer :
> Hi list,
>
> I'm having an issue with my Postfix configuration: Currently I've it set
> up so that one authentication SASL login (e.g., m...@foo.com) supports
> multiple virtual email addresses (e.g., m...@foo.com but also
> f...@foo.com, b...@foo.com).
>
> Once authenticated with m...@foo.com, the envelope sender ("MAIL FROM")
> is restricted to only the permissible variants.
>
> However, as I've now painfully found out, when in Thunderbird someone
> uses the "Custom From Address" feature, it doesn't change the envelope
> sender, but only the actual "From" header field. This means, I have the
> following situation:
>
> Auth: m...@foo.com
> Envelope from: m...@foo.com
> Header 'From': anyth...@goes.com
>
> One of my customers used a gmail address in the header "From", sent an
> email to @hotmail.com and now my mailserver is permablocked at Microsoft
> for bad reputation.
>
> How can I ensure in the future that the same checks are applied to the
> Header "From" field that are also applied to the evelope "From" field?
>
> Thanks,
> Johannes
>

Re: Authenticating 'From' header to match envelope

2018-10-02 Thread Ralph Seichter 
On 02.10.2018 12:48, Johannes Bauer wrote:

> Once authenticated with m...@foo.com, the envelope sender ("MAIL
> FROM") is restricted to only the permissible variants. [...]
>
> How can I ensure in the future that the same checks are applied to the
> Header "From" field that are also applied to the evelope "From" field?

Educating the customers would be my first step. Then, you could use
milter-regex (http://www.benzedrine.ch/milter-regex.html) or similar in
your authenticated submission process:

  # /etc/submission-milter-regex.conf
  reject "No impersonations please"
  envfrom /@gmail.com>/i

  reject "Missing 'From' header or domain mismatch"
  not ( envfrom /@foo.com>/i and header /^From$/i /@foo.com/i )

I cannot test this right now, but it should work. Note that users can
evade check #2 by using headers like

  From: "t...@foo.com" 

but that would be malice, and reason to kick your customer's backside.

-Ralph

Re: Authenticating 'From' header to match envelope

2018-10-02 Thread Wietse Venema 
Johannes Bauer:
> How can I ensure in the future that the same checks are applied to the
> Header "From" field that are also applied to the evelope "From" field?

Use an external content filter. BTW this email will be delivered
with Envelope from = owner-postfix-us...@postfix.org, and from
Header 'From' = my email address. Just so you know.

Wietse