Enable SMTP Login/Sender address validation


(Davide Principi) #1

Thanks to @stephdl it is now possible to Check authenticated user/identity before sending ¹: current SMTP/AUTH login name must be authorized to use a sender address.

Imagine that we have the user joe and the account domain example.com. The following rules apply:

  • User joe can write as joe@example.com
  • If joe is listed as recipient in the email alias sales@example.com he can also send messages as sales@example.com
  • Similarly, if joe is recipient for email alias joe.brown@aliasdomain.com he can set that address as sender
  • Any other sender address is forbidden for user joe. Hence shared mailbox permissions does not affect sender address authorization

To enforce the rules above, enable the e-smith SenderValdation prop in postfix key ²:

# config setprop postfix SenderValidation enabled
# signal-event nethserver-mail-server-update

To enable authenticated submission on WebTop, execute the commands documented here: http://docs.nethserver.org/en/v7/webtop5.html#smtp-setting

DISCLAIMER :warning: as the rule list could be subject to changes, please consider this #howto as alpha!

See also

  1. Check authenticated user/identity before sending
  2. https://github.com/NethServer/nethserver-mail/blob/master/README.rst#sender-address-validation

Check authenticated user/identity before sending
(Michael Kicks) #2


  • can aliases been looked for also from distribution lists or groups?
  • is this setting server-related or user-related?

(Davide Principi) #3

Yes, as said the 2nd point: If joe is listed as recipient in the email alias…

About groups: apart from IMAP ACLs, they are not related with the mail server configuration

The setting is a system-wide configuration switch: once enabled it affects all the users. It could be possible to implement individual user policies with a template-custom.

(Michael Kicks) #4

In my mind, an user-related useful option could be the override of the address validation.
A sysadmin could configure any MFP with only one SMTP account but multiple senders and recipients for SMTP-delivered scans.

I also guess that this could became quite a nightmare as implementation.