Hey guys,

I set up my Postfix with in- and outgoing spamchecks/quota. Also, I disallow the port 25 for regular users and force them to authenticate themselves via tls on the submission ports.

My problem is, that all this can easily be bypassed with the php mail() function.
Does somebody know how I could at least force php to send his mail through postfix so all mails will be spamchecked (and dkim-signed)? Even better would be the possibility to force the authentication (i.e. via user/pass in the users php.ini).

Thank you in advance.

You should configure that in the php.ini ‘sendmail_path’ value.

Try something like:
sendmail_path = /usr/sbin/sendmail.postfix -t -i

After that you’ll have to re-load the php.ini, try e.g.
/etc/init.d/apache2 restart

You can try integrate SMTP authentication with postfix as described in this page:
http://www.andybev.com/index.php/SMTP_authentication_and_Postfix

Thank you for the suggestion.

However, it seems like I found an easier solution.

in postfix master.cf

change

submission inet n - n - - smtpd

to

submission inet n - n - - smtpd

force encyption - optional

-o smtpd_tls_security_level=encrypt

force authentification - necessary I guess, unless you want anbody getting his mail dkim-signed

-o smtpd_sasl_auth_enable=yes

only allow authenticated user to submit mails for delivery - sendmail uses this too

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

the actual content filter. amavis normally uses port 10024, but I added this one

to let amavis apply the originating policy bank which bounces spam back to the user

and dkim sings the mail

-o content_filter=smtp-amavis:[127.0.0.1]:10026

I’m not quite sure if this is the “correct” way but it has been working for a few weeks now.
Notice, that the submission port is 587 instead of 25. In fact, I don’t accept local domains incoming through port 25 because I have strict dkim which would probably result in losing mails.