Docker-mailserver: Sender address rejected of alias address defined by regex

Created on 28 Mar 2020  路  6Comments  路  Source: tomav/docker-mailserver

When I ([email protected]) try to send an email using my alias address ([email protected]), i get:

<[email protected]>: Sender address rejected: not owned by user [email protected]

What I have in postfix-regexp.cf:

/.*@jkozlovsky.cz/ [email protected]

Context

I cannot respond to people writing me while using the same address they wrote to. So it may seem like somebody else is responding.

Expected Behavior

I can send email as any user defined by the regex. It's also stated in the documentation of SPOOF_PROTECTION.

# Configures the handling of creating mails with forged sender addresses.
#
# empty => (not recommended, but default for backwards compatability reasons)
#           Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address.
#           See also https://en.wikipedia.org/wiki/Email_spoofing
# 1 => (recommended) Mail spoofing denied. Each user may only send with his own or his alias addresses.
#       Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
SPOOF_PROTECTION=1

Actual Behavior

See upper description.

Possible Fix

I don't know.

Steps to Reproduce

  1. Create similar regex alias.
  2. Reload server
  3. Send an email as someone matching the alias while having SPOOF_PROTECTION=1

Your Environment

  • Mailserver version used: tvial/docker-mailserver:stable
  • Docker version used: Docker version 19.03.8, build afacb8b7f0
  • Environment settings relevant to the config: see upper description
  • Any relevant stack traces ("Full trace" preferred): none
bug help wanted needs triage postfix / dovecot related priority 3 [LOW] waiting for contributor action
Source
picture jirislav
👍1

Most helpful comment

Of course.

Please note that this issue has become stale. Due to missing capacity, you will most likely need to resolve some parts of this issue alone.

picture aendeavor on 22 Oct 2020
1 👍1

All 6 comments

Since I鈥檓 also running into the same issue, is there any security advantage of enabling SPOOF_PROTECTION=1 for a generic wildcard ([email protected] is allowed to use .*@example.com)? As far as I understand, in this specific use-case, there鈥檚 nobody else who could abuse the missing spoof protection, so does it matter that I had to temporarily turn it off?

FlorianWendelborn picture FlorianWendelborn on 14 Apr 2020

Since I鈥檓 also running into the same issue, is there any security advantage of enabling SPOOF_PROTECTION=1 for a generic wildcard ([email protected] is allowed to use .*@example.com)? As far as I understand, in this specific use-case, there鈥檚 nobody else who could abuse the missing spoof protection, so does it matter that I had to temporarily turn it off?

This is a very good question, thank you.

The issue is that I have bunch of other addresses, where each of them should be restricted from using any other. Only the last one is the administrator's mail address, which should be allowed to become anyone who wants.

See

/[email protected]/ [email protected]
/[email protected]/ [email protected]
/[email protected]/ [email protected]
/[email protected]/ [email protected]
/[email protected]/ [email protected]
/.*@jkozlovsky.cz/ [email protected]

Note that I'm having a new email address created for each service that uses my mail server. And I'd really like to forbid those service accounts to behave as if it was me, the person, instead of it, the service. That's because if somebody hacked the service and started sending spam messages from my mail server, I'd know which service was compromised and fix it.

jirislav picture jirislav on 14 Apr 2020
👍1

This issue was closed due to one or more of the following reasons:

  1. Age
  2. Contributor inactivity
  3. The issue seems to be resolved

If you think this happened by accident, or feel like this issue was not actually resolved, please feel free to re-open it. If there is an issue you could resolve in the meantime, please open a PR based on the current master branch so we can review it.

aendeavor picture aendeavor on 22 Oct 2020

This issue has not been resolved yet. The sender address is still rejected, will you please open this issue @aendeavor? I don't have rights to do so.

jirislav picture jirislav on 22 Oct 2020
👍1

Of course.

Please note that this issue has become stale. Due to missing capacity, you will most likely need to resolve some parts of this issue alone.

aendeavor picture aendeavor on 22 Oct 2020
1 👍1

@jirislav I found this thread: https://serverfault.com/questions/637726/sender-address-rejected-not-owned-by-user-in-postfix Maybe it can help you?

Furthermore, you can for total correctness of your regex escape the . with \. to use `.麓 literally (although I do not think this is a problem).

aendeavor picture aendeavor on 23 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Mathieu-R picture Mathieu-R  路  4Comments
Hamsterman picture Hamsterman  路  3Comments
dragonito picture dragonito  路  5Comments
InsOpDe picture InsOpDe  路  4Comments
alen12345 picture alen12345  路  4Comments