Hints for Postfix 2.6 or higher that are commonly mentioned problems or scenarios.

Enforcing From: header to match SASL login username There are many situations where we have to make sure that the user that is trying to send e-mail is the rightful person. In practice, this means that a user that is logging in via username via SASL mechanism has to own the e-mail address that she is trying to send as. To accomplish that, firstly we want to put an additional header to the mails being sent. This is done by putting into main.cf:

smtpd_sasl_authenticated_header=yes

This results in an additional header in mails, that are sent by SASL authenticated users:

(Authenticated sender: sasl_username)

Note: this is NOT required and this is potentially exposing your existing usernames to the world, making them easier to bruteforce or to spam. In this scenario however, this is anyway meaningless because from address == SASL username. Next, we want to make sure that if the user is trying to send mail as name.surname@domain.com, then he has to be authenticated as name.surname via SASL. For that, we have to put:

smtpd_sender_restrictions = reject_sender_login_mismatch
smtpd_sender_login_maps = ldap:/etc/postfix/login-maps.cf<

In my case, I am authorising the SASL users against LDAP directory, thus the login-maps.cf contains:

version = 3
server_host = localhost
search_base = dc=domain,dc=com
bind = yes
bind_dn = cn=user,dc=domain,dc=com
bind_pw = password
query_filter = (&(uid=%u)(objectClass=inetOrgPerson))
result_attribute = uid

What this map does, is it looks up in LDAP directory the SASL username (uid=%u) looking in objects of class InetOrgPerson. For success, the lookup must return:

username           name.surname@domain.com

where name.surname@domain.com is the email that the user is trying to send as (from From: header).