A forged sender address means that someone claims to be someone else. Let’s say that user1 has authenticated and the mail server trusts him. Nothing keeps user1 from impersonating someone else and sending email in his name.
Postfix provides a setting called smtpd_sender_login_maps to prevent the problem:
sudo postconf smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cfNow create a map file at /etc/postfix/mysql-email2email.cf that Postfix use to search for user's mail address:
user = mailserver
password = x893dNj4stkHy1MKQq0USWBaX4ZZdq
hosts = 127.0.0.1
dbname = mailserver
query = SELECT email FROM virtual_users WHERE email='%s'This sets the parameter both for the SMTP port (25) and the submission port (587). Defining these maps is not enough though. You also need to make Postfix act on this. Edit the /etc/postfix/master.cf again and in the submission section add the following option. Make sure the line is indented like all other options:
-o smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,rejectRestart Postfix:
systemctl restart postfixYou can now try to send email as a different user than you are logged in. Let’s us swaks again to send a spoofed email:
swaks --server localhost --from user2@example1.com --to user3example1.com --port 587 -tls --auth-user user1@example1.com --auth-password SecurePassYou will get the following error message:
~> MAIL FROM:user2@example1.com
<~ 250 2.1.0 Ok
~> RCPT TO:user3@example.com
<~* 553 5.7.1 user2@example1.com: Sender address rejected: not owned by user user1@example1.com