From ea36e73b8e68dad292c3ecd2bfb78a48cc47c918 Mon Sep 17 00:00:00 2001 From: link2xt Date: Wed, 24 Jan 2024 18:59:51 +0000 Subject: [PATCH] postfix: require that login matches envelope FROM Testing that envelope FROM matches From: header already happens in filtermail and tested with `test_reject_forged_from`. The most important part here is `reject_sender_login_mismatch` check documented in . --- cmdeploy/src/cmdeploy/postfix/main.cf.j2 | 4 ++++ cmdeploy/src/cmdeploy/tests/online/test_1_basic.py | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 b/cmdeploy/src/cmdeploy/postfix/main.cf.j2 index 14bdad5b..69375794 100644 --- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 +++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2 @@ -45,3 +45,7 @@ inet_protocols = all virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_mailbox_domains = {{ config.mail_domain }} + +mua_client_restrictions = permit_sasl_authenticated, reject +mua_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, reject +mua_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit diff --git a/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py b/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py index 8db2180a..bbaa51a5 100644 --- a/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py +++ b/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py @@ -42,6 +42,18 @@ def test_reject_forged_from(cmsetup, maildata, gencreds, lp, forgeaddr): assert "500" in str(e.value) +def test_authenticated_from(cmsetup, maildata): + """Test that envelope FROM must be the same as login.""" + user1, user2, user3 = cmsetup.gen_users(3) + + msg = maildata("encrypted.eml", from_addr=user2.addr, to_addr=user3.addr) + with pytest.raises(smtplib.SMTPException) as e: + user1.smtp.sendmail( + from_addr=user2.addr, to_addrs=[user3.addr], msg=msg.as_string() + ) + assert e.value.recipients[user3.addr][0] == 553 + + @pytest.mark.parametrize("from_addr", ["fake@example.org", "fake@testrun.org"]) def test_reject_missing_dkim(cmsetup, maildata, from_addr): """Test that emails with missing or wrong DMARC, DKIM, and SPF entries are rejected."""