Check authenticated user/identity before sending

I am not sure if that solution would solve my particular problem. I will look into it a bit more. It would solve the problem at hand but for my purposes it will probably cause new ones.

The problem is that my users have multiple mailaddresses which they need to receive and send messages. So one user can have mutltiple addresses that they send from. As of now, they can send as all users.

Sidenote: I am open for discussion to sponsor such a feature. If there is a way to support the project in that way and fastforward a featuer I need then I am very open to it.

1 Like

Thanks for your willingness, we don’t have a clear path for that.
We can try again with BountySource.

Other communities are used to set up a sort of marketplace category. Not just for development purposes but also in order to set up a new NethServer installation and support it

Thanks for the reply. I was trying bountysource. But I didn’t figure out how to open an issue and set a bounty. Seems to be complicated or well, lack of intelligence on my part. If you could open the issue regarding my mail problem I could set a bounty.

If you are willing to research the problem, come up with a solution and test the code, I will sponsor the feature.
The main issue here is how to “map” user accounts to email addresses.
Describe how you would like to have it, please.

Hi,

I would like to configure Nethserver NG 7.x to allows to send mails only if the sender ("From: ") is the same of the autenticated user or he/she have some allowed identities.

I tried with this article:

https://superuser.com/questions/1037395/how-can-i-prevent-that-an-user-sends-mail-like-another-user-on-postfix

that it’s seems to do what I want, but I can’t make it work.

The identities may be differents from the user’s email domain.

Example:

my account in the server is saitobenkei@domain.tld and I want to be allow to send mails from my account only if in the "From: " field I put saitobenkei@domain.tld (my e-mail address) or some identities as pippo@domain.tld, saitobenkei@anotherdomain.tld, othermail@newdomain.tld (these are only identity that I allowed to use wit my account).

Some clue/help?

Thankyou.

I managed to have a working implementation, but it is just for fun :slight_smile:
Creating a simple panel to configure this behavior would be complex.

Before proceed, you need to understand how it works, otherwise some users will not be able to send any mail. Take a look at: https://blog.felipe-alfaro.com/2006/02/19/block-sender-address-spoofing-with-smpt-auth/
So, let’s start.

Configuration

1. Create a template-custom

Execute:

mkdir -p /etc/e-smith/templates-custom/etc/postfix/master.cf

Content of /etc/e-smith/templates-custom/etc/postfix/master.cf/40restrictions:

{
    push @submission_smtpd_options, 'smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch';
    push @submission_smtpd_options, 'smtpd_sender_login_maps=hash:/etc/postfix/smtpd_sender_login_maps';

    '';
}

2. Create a map between users and allowed addresses

Content of /etc/postfix/smtpd_sender_login_maps:

u1@local.neth.eu u1
@local.neth.eu u2

3. Apply the configuration

Execute:

postmap /etc/postfix/smtpd_sender_login_maps

signal-event nethserver-mail-server-update

Testing

You can test it with curl.

This should be allowed:

curl -k -n --ssl-reqd --url "smtps://localhost:465" --mail-from u2@local.neth.eu --mail-rcpt u2@local.neth.eu --upload-file /dev/null -u u2:Nethesis,1234 -v

This should be denied:

curl -k -n --ssl-reqd --url "smtps://localhost:465" --mail-from u2@local.neth.eu --mail-rcpt u2@local.neth.eu --upload-file /dev/null -u u1:Nethesis,1234 -v
5 Likes

@giacomo

Also in this case Webtop 5 doesn’t care of the configuration and it sends mail with any identity is configured in the account.

It seems isn’t a 587 port “fault” because SMTP on Thunderbird, configured to use 587 port, works correctiy as expected.

I confirm that the port 587 honors the configuration, you can check it with:

curl -k -n --ssl-reqd --url "smtp://localhost:587" --mail-from u2@local.neth.eu --mail-rcpt u2@local.neth.eu --upload-file /dev/null -u u1:Nethesis,1234 -v

This is a completely different topic, each client can use its own configuration to set the “mail from” field (which could be completely different than “From:” header inside the message).

Webtop 5 seems to not honour configurations made here:

Thank you for pointing out this issue: it can be a validation point for the final implementation. i.e.:

“Can WT5 honor the sender address policy?”

How WT5 can implement it depends also on how NS implements it. We must see where this Feature request can lead us.

Just to make it clear, @saitobenkei do you want to force the envelope sender to be the same as the header one? See this link for an explanation

Please, also bear in mind that web applications installed on the mail server usually don’t use any authentication for sending mail, so no forced check cannot be done unless clients can be explicitly configured to act differently.

I would like that all applications (expecially those the are a standard in the distribution) work in a coherent manner…

If I need to set up that the account you send is the same as the one with which I authenticate myself, it must work with any software provided in the distribution.

(Same applies to blocking user-level mail/groupware access from untrusted networks).

1 Like

I’d rather say “it should work”: some software could not allow to implement this feature by now.

if there’s the rspamd module installed, the last command should be:

signal-event nethserver-mail2-server-update

1 Like

no nethserver-mail should have the same event nethserver-mail-server-save

In my

/etc/e-smith/events/nethserver-mail-server-update

there’s only the directories structure, no files with code

=====

[root@mail nethserver-mail-server-update]# ls -lR
.:
total 0
drwxr-xr-x 2 root root  6 Mar 19 11:04 services2adjust
drwxr-xr-x 4 root root 28 Mar 19 11:01 templates2expand

./services2adjust:
total 0

./templates2expand:
total 0
drwxr-xr-x 8 root root 90 Mar 19 11:04 etc
drwxr-xr-x 3 root root 17 Mar 19 11:01 var

./templates2expand/etc:
total 0
drwxr-xr-x 2 root root  6 Mar 19 11:04 amavisd
drwxr-xr-x 2 root root  6 Mar 19 11:04 dovecot
drwxr-xr-x 2 root root  6 Mar 19 11:04 pam.d
drwxr-xr-x 3 root root 21 Mar 19 11:01 pki
drwxr-xr-x 2 root root  6 Mar 19 11:04 postfix
drwxr-xr-x 3 root root 20 Mar 19 11:01 systemd

./templates2expand/etc/amavisd:
total 0

./templates2expand/etc/dovecot:
total 0

./templates2expand/etc/pam.d:
total 0

./templates2expand/etc/pki:
total 0
drwxr-xr-x 4 root root 34 Mar 19 11:01 dovecot

./templates2expand/etc/pki/dovecot:
total 0
drwxr-xr-x 2 root root 6 Mar 19 11:04 certs
drwxr-xr-x 2 root root 6 Mar 19 11:04 private

./templates2expand/etc/pki/dovecot/certs:
total 0

./templates2expand/etc/pki/dovecot/private:
total 0

./templates2expand/etc/postfix:
total 0

./templates2expand/etc/systemd:
total 0
drwxr-xr-x 3 root root 31 Mar 19 11:01 system

./templates2expand/etc/systemd/system:
total 0
drwxr-xr-x 2 root root 6 Mar 19 11:04 dovecot.service.d

./templates2expand/etc/systemd/system/dovecot.service.d:
total 0

./templates2expand/var:
total 0
drwxr-xr-x 3 root root 24 Mar 19 11:01 lib

./templates2expand/var/lib:
total 0
drwxr-xr-x 3 root root 27 Mar 19 11:01 nethserver

./templates2expand/var/lib/nethserver:
total 0
drwxr-xr-x 2 root root 6 Mar 19 11:04 sieve-scripts

./templates2expand/var/lib/nethserver/sieve-scripts:
total 0

=====

root@mail nethserver-mail2-server-update]# ls -lR
.:
total 0
lrwxrwxrwx 1 root root 39 Mar 19 11:04 S00initialize-default-databases -> ../actions/initialize-default-databases
lrwxrwxrwx 1 root root 48 Mar 19 11:04 S01nethserver-mail-default-domain-create -> ../actions/nethserver-mail-default-domain-create
lrwxrwxrwx 1 root root 41 Mar 19 11:04 S30nethserver-mail-postmap-update -> ../actions/nethserver-mail-postmap-update
lrwxrwxrwx 1 root root 46 Mar 19 11:04 S40nethserver-mail-create-opendkim-key -> ../actions/nethserver-mail-create-opendkim-key
lrwxrwxrwx 1 root root 38 Mar 19 11:04 S50nethserver-sssd-initkeytabs -> ../actions/nethserver-sssd-initkeytabs
lrwxrwxrwx 1 root root 51 Mar 19 11:04 S95nethserver-mail-server-init-system-users -> ../actions/nethserver-mail-server-init-system-users
lrwxrwxrwx 1 root root 42 Mar 19 11:04 S98nethserver-mail-server-init-acl -> ../actions/nethserver-mail-server-init-acl
drwxr-xr-x 2 root root 82 Mar 19 11:04 services2adjust
drwxr-xr-x 4 root root 28 Mar 19 11:04 templates2expand

./services2adjust:
total 20
-rw-r--r-- 1 root root 8 Mar  8 18:03 dnsmasq
-rw-r--r-- 1 root root 8 Mar  8 18:03 dovecot
-rw-r--r-- 1 root root 8 Mar  8 18:03 opendkim
-rw-r--r-- 1 root root 8 Mar  8 18:03 postfix
-rw-r--r-- 1 root root 8 Mar  8 18:03 rsyslog

./templates2expand:
total 0
drwxr-xr-x 8 root root 145 Mar 19 11:04 etc
drwxr-xr-x 3 root root  17 Mar 19 11:04 var

./templates2expand/etc:
total 0
-rw-r--r-- 1 root root   0 Mar  8 18:03 dnsmasq.conf
drwxr-xr-x 2 root root  85 Mar 19 11:04 dovecot
-rw-r--r-- 1 root root   0 Mar  8 18:03 hosts
drwxr-xr-x 2 root root  62 Mar 19 11:04 opendkim
-rw-r--r-- 1 root root   0 Mar  8 18:03 opendkim.conf
drwxr-xr-x 2 root root  28 Mar 19 11:04 pam.d
drwxr-xr-x 3 root root  21 Mar 19 11:04 pki
drwxr-xr-x 2 root root 114 Mar 22 09:46 postfix
drwxr-xr-x 3 root root  20 Mar 19 11:04 systemd

./templates2expand/etc/dovecot:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 deny.passwd
-rw-r--r-- 1 root root 0 Mar  8 18:03 dovecot.conf
-rw-r--r-- 1 root root 0 Mar  8 18:03 master-users
-rw-r--r-- 1 root root 0 Mar  8 18:03 quota.passwd

./templates2expand/etc/opendkim:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 KeyTable
-rw-r--r-- 1 root root 0 Mar  8 18:03 SigningTable
-rw-r--r-- 1 root root 0 Mar  8 18:03 TrustedHosts

./templates2expand/etc/pam.d:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 dovecot-master

./templates2expand/etc/pki:
total 0
drwxr-xr-x 4 root root 34 Mar 19 11:04 dovecot

./templates2expand/etc/pki/dovecot:
total 0
drwxr-xr-x 2 root root 25 Mar 19 11:04 certs
drwxr-xr-x 2 root root 25 Mar 19 11:04 private

./templates2expand/etc/pki/dovecot/certs:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 dovecot.pem

./templates2expand/etc/pki/dovecot/private:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 dovecot.pem

./templates2expand/etc/postfix:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 internal_access
-rw-r--r-- 1 root root 0 Mar  8 18:03 main.cf
-rw-r--r-- 1 root root 0 Mar  8 18:03 master.cf
-rw-r--r-- 1 root root 0 Mar  8 18:03 recipient_bcc
-rw-r--r-- 1 root root 0 Mar  8 18:03 transport
-rw-r--r-- 1 root root 0 Mar  8 18:03 virtual

./templates2expand/etc/systemd:
total 0
drwxr-xr-x 3 root root 31 Mar 19 11:04 system

./templates2expand/etc/systemd/system:
total 0
drwxr-xr-x 2 root root 25 Mar 19 11:04 dovecot.service.d

./templates2expand/etc/systemd/system/dovecot.service.d:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 limits.conf

./templates2expand/var:
total 0
drwxr-xr-x 3 root root 24 Mar 19 11:04 lib

./templates2expand/var/lib:
total 0
drwxr-xr-x 3 root root 27 Mar 19 11:04 nethserver

./templates2expand/var/lib/nethserver:
total 0
drwxr-xr-x 2 root root 26 Mar 19 11:04 sieve-scripts

./templates2expand/var/lib/nethserver/sieve-scripts:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 before.sieve

do not make a mistake, I spoke about nethserver-mail-server-save

[root@ns7dev6 ~]# ll -R /etc/e-smith/events/nethserver-mail-server-save/
/etc/e-smith/events/nethserver-mail-server-save/:
total 0
lrwxrwxrwx 1 root root 41 Mar 18 11:15 S30nethserver-mail-postmap-update -> ../actions/nethserver-mail-postmap-update
lrwxrwxrwx 1 root root 39 Mar 18 11:15 S95nethserver-mail-quota-recalc -> ../actions/nethserver-mail-quota-recalc
drwxr-xr-x 2 root root 36 Mar 18 11:15 services2adjust
drwxr-xr-x 4 root root 28 Mar 18 11:15 templates2expand

/etc/e-smith/events/nethserver-mail-server-save/services2adjust:
total 8
-rw-r--r-- 1 root root 7 Mar  8 18:03 dovecot
-rw-r--r-- 1 root root 7 Mar  8 18:03 postfix

/etc/e-smith/events/nethserver-mail-server-save/templates2expand:
total 0
drwxr-xr-x 6 root root 86 Mar 18 11:15 etc
drwxr-xr-x 3 root root 17 Mar 18 11:15 var

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/etc:
total 0
drwxr-xr-x 2 root root 65 Mar 18 11:15 dovecot
drwxr-xr-x 2 root root 62 Mar 18 11:15 opendkim
-rw-r--r-- 1 root root  0 Mar  8 18:03 opendkim.conf
drwxr-xr-x 2 root root 28 Mar 18 11:15 pam.d
drwxr-xr-x 2 root root 97 Mar 18 11:15 postfix

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/etc/dovecot:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 deny.passwd
-rw-r--r-- 1 root root 0 Mar  8 18:03 dovecot.conf
-rw-r--r-- 1 root root 0 Mar  8 18:03 quota.passwd

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/etc/opendkim:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 KeyTable
-rw-r--r-- 1 root root 0 Mar  8 18:03 SigningTable
-rw-r--r-- 1 root root 0 Mar  8 18:03 TrustedHosts

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/etc/pam.d:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 dovecot-master

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/etc/postfix:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 internal_access
-rw-r--r-- 1 root root 0 Mar  8 18:03 main.cf
-rw-r--r-- 1 root root 0 Mar  8 18:03 recipient_bcc
-rw-r--r-- 1 root root 0 Mar  8 18:03 transport
-rw-r--r-- 1 root root 0 Mar  8 18:03 virtual

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/var:
total 0
drwxr-xr-x 3 root root 24 Mar 18 11:15 lib

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/var/lib:
total 0
drwxr-xr-x 3 root root 27 Mar 18 11:15 nethserver

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/var/lib/nethserver:
total 0
drwxr-xr-x 2 root root 26 Mar 18 11:15 sieve-scripts

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/var/lib/nethserver/sieve-scripts:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 before.sieve

I did a mistake

yes you can use

signal-event nethserver-mail2-server-update

or

nethserver-mail-server-save


1 Like

I’ve replied to command that @giacomo wrote in his post.

signal-event nethserver-mail-server-update

That command doesn’t work for me with rspamd module installed, so I’ve found why.

2 Likes

Too many commands :slight_smile: