Can't send from forward only account

[pixil98]

If I create an account without a local mailbox (forward only), I'm unable to send email from that account. I get the following error when trying:

SMTP Error (553): Failed to add recipient "bar@example.com" (5.7.1 <foo@example.com>: Sender address rejected: not owned by user foo@example.com).

This seems wrong as I'm authenticated as the sender address so it should be considered valid. I'd like to setup some no-reply accounts for services I have running and this is preventing it.

[pixil98]

It looks like postfix is checking smtpd_sender_login_maps to see if a given user has permission to send from a given address. That list is handled by https://github.com/technicalguru/docker-mailserver-postfix/blob/master/etc/dovecot/dovecot-sql.conf.

I'm not an expert on postfix, but don't think this query is correct. As is, it seems like it's giving postfix permission to send as any email address that email to the account would be delivered too, even if that address isn't a domain handled by the server. Additionally, if the account's mailbox isn't enabled, it won't show up on the list.

The first problem, I haven't tried writing any SQL for. It seems like it should only allow domains that it's configured for, though this is unlikely to be a huge problem as is since it's only abusable by authenticated users and the recipient's email server is likely to just detect it as spam. The second problem can probably be solved by changing the first %u to a %s as postfixadmin forces the account name to be the full address so %u will never match (I didn't have a chance to test this yet).

[technicalguru]

Hello @pixil98,

not sure whether the problem still persists. The configuration and SQL makes sure that the sender address belongs to the account that you have authenticated before (either a mailbox or an alias for that mailbox).

If you need to change this behaviour, you can map your custom SQL definition into the docker image (in etc/dovecot directory) as a volume (with single file).

In case you still consider this an issue for the postfix image, please let me know here so we can improve it.

Regards

[pixil98]

I ended up writing up two issues in this one issue:

Sending from forward only accounts: I would like to be able to do this so I can have some of my infrastructure send out diagnostic emails without collecting an inbox full of spam. I'm pretty sure this is just figuring out the right SQL query to use and I haven't gotten around to it yet, so it's clearly not that important. I would also be perfectly happy with being able to blackhole a mailbox. It's been quite a while since I looked into this, but I think it's a limitation in postfixadmin currently.

Sending as forwarded email address: I'm not sure what the right thing to do here is. A user shouldn't be sending as an address on a domain that the mail server isn't part of. It's going to fail spf/dkim checks, get marked as spam, and possibly get your IP blocked. RFC 4021 indicates that the From header should be the mailbox of the author and the Sender header should be the mailbox of the actual sender. It seems like the right solution would be to make sure that the Sender address is an actual mail account for a domain in postfixadmin, then the From address can be anything configured on the account. In practice, I don't know if places like Gmail would be happy with that or not.

[technicalguru]

I hope I understand your issue. There is a solution through the main.cf file. This thread has a solution to this in this specific reply. You basically setup a file where your forward account is authorized to send as anyone from your server. But you need to make sure that your SPF/DKIM setup works with it.