12:11 p.m.
On Monday, 01 March, 2021 19:11 CET, Imre Jonk <imre(a)imrejonk.nl> wrote:
On Fri, 2021-02-26 at 21:32 +0100, Maciej Delmanowski wrote:
> I think that you missed a crucial function of this lookup though - it
> forces the mail clients to authenticate with the e-mail addresses
> they own in the directory. It's essentially an anti-spoofing measure,
> so that some user on your domain is not able to send an e-mail with
>
> From: Imre Jonk <imre(a)ciphermail.com>
>
> set as the mail header. Better check if that's possible with another
> account ASAP.
I did test this, and if I remember correctly, this evil plan is foiled
by the ldap_smtpd_sender_login_maps restriction. I'll test it again
tomorrow though :)
The ldap_smtpd_sender_login_maps restriction indeed catches this. Here's the error
message I get from Postfix when trying to send mail from martijn(a)ciphermail.com with user
'imre':
RCPT TO <someone(a)example.com> failed: <martijn(a)ciphermail.com>: Sender address
rejected: not owned by user imre