How to Prevent Email Sender Spoofing by Authenticated Users in Postfix

Recently, one of our clients’ email addresses was compromised and used to send spam emails as part of a phishing attack. The issue occurred because one particular mailbox was configured with a weak password, allowing an attacker to gain access to the account. After successfully authenticating to the mail server, the attacker used the compromised account to send spam emails while forging a different sender identity. For example, although the legitimate account was myuser@somedomain.com, the attacker authenticated using this account but sent emails with a forged From address such as fakeuser@phishingdomain.com to distribute phishing messages.

To defend against situations like this, it is important to implement multiple safeguards. In addition to educating staff to use strong but easy-to-remember passwords (so they do not write them down), administrators should configure rate limiting and enforce sender restrictions. These restrictions ensure that authenticated mailboxes can only send emails using their own authorized identities or From addresses. Although there may be legitimate exceptions to this rule, enforcing such policies significantly reduces the risk of compromised accounts being used to send phishing or spam emails.

In this guide, I will demonstrate how to implement sender restrictions in Postfix in an environment that uses PostfixAdmin for virtual mailbox management.

Let's get started then.

How to Configure

First open the configuration file /etc/postfix/main.cf using:

sudo nano /etc/postfix/main.cf

Locate the smtpd_sender_restrictions setting in your Postfix configuration. Add the following line above it, selecting the appropriate version based on your database:

MySQL/MariaDB

smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-sender-login-maps.cf

PostgreSQL

smtpd_sender_login_maps = proxy:pgsql:/etc/postfix/pgsql-sender-login-maps.cf

This line instructs Postfix on where to check the username to email mappings. 

Then add the parameter reject_sender_login_mismatch at the beginning of the list of the setting smtpd_sender_restrictions. 

This line instructs Postfix to block any email that doesn't match MAIL FROM address to the login username. Save and exit. Then create the file /etc/postfix/mysql-sender-login-maps.cf using the following command:

sudo nano /etc/postfix/mysql-sender-login-maps.cf

Copy past the following lines to the file (make sure to replace the username, password, and database_name with actual values):

    user = username
    password = password
    hosts = localhost
    dbname = database_name
    query = SELECT username FROM mailbox WHERE username='%s' AND active = '1' UNION     SELECT goto FROM alias WHERE address='%s' AND active='1'

Now restart Postfix using the command:

sudo systemctl restart postfix

How to Test

Log into your favorite mail client (eg: Roundcube), and create a secondary identity with a fake email. Then try composing an email and sending it. It should display an error informing that the email can't be sent as the sender doesn't match the authenticated email.

This is how you prevent Email Sender Spoofing by Authenticated Users. If you think this guide was helpful please leave a comment and share this guide with others.