Admin accounts should be permitted to send mail on behalf of other users

One of the problems I’ve encountered is that my web application needs to be able to send email on behalf of other users. Of course we don’t want to allow any arbitrary user to spoof another user’s account, but I believe that admin accounts, at least, should have this privilege.

I was able to make this happen by modifying the query in /etc/postfix/

    SELECT permitted_senders
    FROM (
        SELECT permitted_senders
        FROM (
            SELECT permitted_senders, 0 AS priority
            FROM aliases
            WHERE source='%s'
            AND permitted_senders IS NULL
            SELECT email as permitted_senders, 2 AS priority
            FROM users
            WHERE email='%s'
        ORDER BY priority LIMIT 1
    SELECT email as permitted_senders
    FROM users
    WHERE privileges="admin"
    AND SUBSTR(email, INSTR(email, '@') + 1) = SUBSTR('%s', INSTR('%s', '@') + 1);

You will of course need to restart Postfix after making configuration changes:
sudo /etc/init.d/postfix restart

See my answer on SE:

The “nice” way to do this is to not try to impersonate other users in the envelope address but just set From: or Reply-To: (and possibly then Sender:) headers as needed (which are not validated).

reject_authenticated_sender_login_mismatch prevents authenticated users from just setting the From: header, right?

I don’t think it enforces Reply-To: and Sender:… would setting those be adequate?

Yes, that is the problem - by default, Postfix will reject messages where Sender and From do not match.

You can, as @bronson points out, disable this completely by removing reject_authenticated_sender_login_mismatch from the configuration file. However, this is a bad idea as a global policy, because it makes it easier for compromised accounts to be used as spam relays.

My proposal is a compromise, and allows “admin” accounts to mix-and-match Sender and From, but not standard user accounts.

No, it compares the login to the envelope address (also known as the return path). This is different from the From header. The From header is not checked.

Hmm, then maybe my mail library (PHPMailer) is changing both the From and Return-Path headers when I set the From property? Postfix is definitely rejecting mails when I set From differently from my login. I’ll have to look into it and see if PHPMailer is doing something funky.

This topic was automatically closed after 61 days. New replies are no longer allowed.