Anyone can send mails from a local user as long as the recipient is another local user

[william-stacken]

I got a spam mail recently with a valid DKIM signature from my admin user to one of my other users. At first I thought I was compromised, but after some quick testing with openssl I noticed that it is possible for anyone to send such a mail without providing a password.

I found a solution to this problem, see https://serverfault.com/questions/318334/how-to-enforce-sender-address-to-be-logged-in-userexample-org-in-postfix/318432#318432