Description

Not really a bug, just (perhaps) a more useful default. I originally posted this in another issue thread, so I'll quote the couple replies from that thread below to start.

Basically this is just about RSPAMD's allow_username_mismatch for DKIM signing that currently defaults to false which won't allow RSPAMD to DKIM sign the email even if the address is a valid alias for the authenticated user.

@polarathene wrote:

Our ENV SPOOF_PROTECTION=1 would partially imply it should not allow mismatch, although we have a way for Postfix to permit sending as other users with that enabled (undocumented), which is probably sufficient, thus allow_username_mismatch can probably always be allowed.

@georglauterbach wrote:

I'd like a bit more discussion about allow_username_mismatch. @Codelica can you please open a new issue and explain this in just a bit more detail?:) What about aliases from the same domain? Moreover, @polarathene is right - we might want to make this dependent on SPOOF_PROTECTION?

@polarathene wrote:

Moreover, @polarathene is right - we might want to make this dependent on SPOOF_PROTECTION?

I state at the end that it's probably not necessary.

SPOOF_PROTECTION=1 should have Postfix prevent mismatch anyway. While it's undocumented, we do have support for allowing an account to send as additional users via a config file.

Virtual aliases can send as themselves when logging in via the virtual alias (and actual account recipient as login), however this is only because of the Dovecot dummy account workaround for Dovecot Quotas, may not work when the quota feature is disabled. The mentioned config file could allow aliases or any regex for an account to approved of more sender addresses.

Rspamd allow_username_mismatch isn't going to be compatible with additional approved senders, and since SPOOF_PROTECTION=1 should be enforcing this rule at the Postfix level for outbound mail, I think this rspamd setting doesn't need to be disabled.

TL;DR: allow_username_mismatch=true should be ok regardless 👍

EDIT: Unless I'm mistaken. I know Postfix is using the SASL login to compare with sender address, whereas rspamd wouldn't have that information and is presumably about a mismatch from the two mail headers of the sender address? (not sure if that changes on the Postfix end, might have some value 🤷‍♂️ )

I believe this is correct from what I saw -- Postfix did still enforce SPOOF_PROTECTION. RSPAMD's allow_username_mismatch for DKIM seems to be purely about wether RSPAMD will attempt to sign the message for the user, which is needed when acting as a virtual user.

Note: The info @polarathene is very helpful for me. As based on that I think I'll have to make some other modification(s) also. I'm coming from a homebrew Postfix/Cyrus/Amavis/ClamAV/SA system I ran for many years. Dozens of domains and many virtual addresses were handled by the system, so it was very convenient to login as my "main" user and just add "identities" to send as to my mail client -- which all the mail clients I use have 1st class support for (Mac/iOS Mail, Spark Mail, Roundcube). Once I enabled allow_username_mismatch, I was able to do that again although apparently just for aliases with 1:1 mappings -- which I just verified. So IMO I would still (personally) default allow_username_mismatch to true since it doesn't compromise spoof protection and may clear up some confusion for people doing the same.