Postfix - only allow to send mail as logged in user - postfix-mta

By default, Postfix allows sending as another user when logged in, even non-existent ones.
To reproduce:
I have postfix running with STARTTLS and authentication enabled.
Connect to the MTA with openssl s_client -starttls smtp -connect server.com:587 -crlf
Authenticate using credentials in BASE64, receiving 235 2.7.0 Authentication successful
Now, I am allowed to set MAIL FROM:<somebody#server.com> and send the mail to a domain, such as server.com itself. Meaning users can spoof themselves as other users.
Is this expected behavior? I'm aware that DKIM and SPF should block mails from another domain, but one can still only fake their username.
How can I configure Postfix to allow only to send a mail as the user logged in?

I found it, configure these settings in either the main.cf or master.cf to make it work:
smtpd_recipient_restrictions = reject_sender_login_mismatch,permit_sasl_authenticated
Description taken from the dev site.
Optional restrictions that the Postfix SMTP server applies in the context of a client MAIL FROM command. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time.
The default is to permit everything."

Related

phpmailer SMTP with STARTTLS encryption

would anyone know if it is possible to run phpmailer with STARTTLS encryption?
The story: an online order form that sends the output to both the site visitor and site owner. The goal is that the visitor receives an email from orders#ownerdomain.com, while the site owner receives an email from visitor#somedomain.com (the address that the visitor has filled i the online form).
I have the phpmailer running fine with my Gmail account, using TLS on port 587. I would, however, like to use mailbox provided along with the hosting (so that the from/replyTo looks professional, no freemail). Unfortunately, the hosting provider does not provide TLS - in their knowledgebase they only mention STARTTLS. I tried all combinations of SSL, TLS and STARTTLS for encryption and 465 and 587 for ports with no success.
Would anyone know if STARTTLS is somehow achievable, please?
My plan B would was to use the Gmail SMTP credentials and then tinker with addReplyTo, setFrom and addAddress in the phpmailer SMTP settings. I tried but if I use...
$mail->addReplyTo($_POST['customeremail'], $_POST['customername']);
...the from email address the site owner receives is that of my Google email - I understand this may be some Google email spoofing protection, which just doesn`t allow the SMTP to send an email with the From address taken from the form. - please see the attached ![Thunderbird screen( image: imgur.com/a/1f6vY).
Can this be possibly overridden?
I mean, with that plan B solution, I can grant Google access to send emails on behalf of orders#ownerdomain.com, that`s all fine, it will then mimick the professional domain address. But I cannot do the same for the visitor address (taken from the form), that makes sense, right?
Thanks a bunch in advance...
Yes, PHPMailer does TLS encryption by default. Look at the SMTPSecure property for more details.
Gmail does indeed prevent you from setting arbitrary from addresses, though you can pre-set aliases in your account. This is mentioned in the PHPMailer docs and has been covered many times on here.

Simple account control system

My program is a TCP socket server, which should be managed over a network by a command-answer system. Command(request)-answer system is not a problem: a client send a packet, a server receive it and generates a response. Packets are just a sequences of bytes.
The issue is that I have to create a simple account system. My server should store and manage two account types: "administrator" and "simple user". Therefore I should have the things: a registration, authentication and a password storage systems. How this can be simply done on Qt5? For example, I simply can send user names and passwords (or password hashes) over a network, but how an administrator account can be initially created on the server in a normal way? I don't have strict security requirements, but I want to create a normal system that would make sense.
Simpliest way: administrator credentials should be predefined via some config file on server side. As additional protection you may force user to change password on first log in. Another way: a lot of CMS provides a full access + installation steps to first loggined user.
Use QSslSocket to get a secured communication layer (http://doc.qt.io/qt-5/qsslsocket.html), since you will exchange passwords on top of this administration link.
There is an example here of the client part of the code, with Qt5: http://doc.qt.io/qt-5/qtnetwork-securesocketclient-example.html
On the server side, accept the socket on a predefined unused port, dedicated to your service.
Now, you can simply decide of a login with a random secret password, that will correspond to the administrator account, and create a program to send this password on top of a secured channel based on QSslSocket. You server has to check the password before accepting remote management.
So, as you can see, the administrator must be created prior to using the service. You can use a private mail exchange, based on some cryptographic means (OpenPGP, S/MIME, etc.), to supply the administrator with its password.

How to send mail from non existing mail mailsender spring?

How to send a mail from non existing mail? Example: no-reply#mydomain.com using Spring Mail Sender Configuration. A mail doesn't exists so that reply to email address should fail.
Solution with java mail also preferred.
I tried with this too. It is not working with spring framework.
(Unknown Sender) when sending email with pdf attachment created in iText from java application
no-reply#mydomain.com
If you're not using SMTP authentication then it doesn't matter whether the email exists or not.
You can send email from addresses that doesn't exist without using SMTP authentication but that's usually a bad practice because such email's are usually evaluated as spam by most of the spam filters.
See this answer for more details.
Hence it's best practice to send email using SMTP authentication. But when sending email using that way you should have all credentials like email, password, outgoing server, port etc... and so you'll need a email that does exists.

How do I send SMTP mail from a Azure website?

I'm using the smtpclient class to send email from my asp.net website hosted on Azure in the 'shared' setup. Everywhere it says that port 25, and ALL ports are open on the Azure servers. My code works from my onw pc, but when published on Azure, it breaks. I am using gmail port 587 secure smpt and I get the error System.Net.Mail.SmtpException: The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.5.1 Authentication Required.
Any ways to get around this? (Without installing a vm with Exchange on it, like ocme on, it's a simple email message).
You are getting that error because of these two possible reasons:
You are using the SMTPClient of Gmail and you are passing the EmailId of some other website like Yahoo/Hotmail etc.
EmailId you are using is not authenticated, you need to provide your mobile number to authenticate your Email Id.
If you are using Yahoo/Hotmail then you can refer to this article which I had created on http://www.c-sharpcorner.com/
http://www.c-sharpcorner.com/UploadFile/cd7c2e/send-bulk-email-from-yahoo-and-hotmail-using-Asp-Net/

IIS sending mail

I have succefully setup my ASP app to be drop the email to a maildrop box designated by the ISS. I can see the email in the folder which I have specified. This is what I have specified in my IIS management settings:
E-mail address: administrator#aspdotnet-suresh.com
Store e-mail in pickup directory: C:\temp\maildrop
Will this send an email to my account specified in the app? This is a password reset system and the email document inside the folder has the correct to and from address but I don't know how to install the actual SMTP server and not sure if the IIS Manager will make it happen by dropping it in this folder?
Sorry, I am new to this stuff
If you want the email delivered, you want to use an SMTP relay [of some sort]. Placing it in the maildrop assumes that there is some other protocol which is going to be used to retreive it from that maildrop (ie. POP3).
If you want to talk about how to configure IIS and SMTP, your question will probably get better results on www.serverfault.com.

Resources