==== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Debian wheezy
- Related log if you're reporting an issue: see bellow
====

I am sorry to bring back a topic that has been already closed (http://www.iredmail.org/forum/topic7449 … dress.html) but it seems that there really is a problem with iRedMail default configuration.

As it was discussed in the above linked thread, remote users are not allowed to forge their identity (From: address) without authenticating via SASL first. This works for local mailboxes, as long as the @local_domains_maps variable contains list of your local domains. Such email is rejected:

Nov  3 14:03:05 mail postfix/smtpd[30290]: NOQUEUE: reject: RCPT from unknown[188.190.204.92]: 553 5.7.1 <user.name@mydomain.com>: Sender address rejected: not logged in; from=<user.name@mydomain.com> to=<user.name@mydomain.com> proto=ESMTP helo=<pool.luga.net.ua>

But if the remote sender sets his (forged) From: address as an existing alias, postfix won't reject such email and the message is passed:

Nov  3 14:09:22 mail amavis[30269]: (30269-12) Passed SPAMMY {RelayedTaggedInternal}, MYUSERS LOCAL [186.182.172.72]:29367 [186.182.172.72] <alias@mydomain.com> -> <user.name@mydomain.com>, Queue-ID: 88C92340DAD, Message-ID: <005101cff74e$05ea51c7$afa866a3$@mydomain.com>, mail_id: LXx5kCIweK52, Hits: 15.065, size: 4966, queued_as: 4ABC9340E58, 1191 m

Is there a way to solve this? Can postfix also search aliases for local users? Maybe the SQL querry in /etc/postfix/mysql/sender_login_maps.cf has to be altered?

Or even better, disable aliases in From: completely?