On Wed 12/Nov/2014 14:42:02 +0100 Matus UHLAR - fantomas wrote: >>Stephan Knorr writes: >>> I am trying to deny authenticated esmtp (on port 587) for local users who >>> have configured their email-client with a foreign from-address (not in our >>> local domain). > > On 12.11.14 08:13, Sam Varshavchik wrote: >> What would be possible is writing a custom mail filter that rejects >> messages from authenticated connections that do not have a matching >> From: header
A good reason to do so is that some spammers, after hijacking a user's password, don't bother using the corresponding sender address. Should one consider From:, MAILFROM, or both? > ... and I would just recommend not to block foreign domains, but even > foreign addresses - block any address user does not own, e.g. is not same as > its > login name or is not in aliases. Checking aliases becomes quite a mess, as one can have scripts in aliasdir. Some users will typically need to send as postmaster@any-hosted-domain. In addition, some users use disposable addresses, possibly implemented as local catchall's, or externally provided services like trashmail.net. I'm asking 'cause I'd like to add configuration options of that kind to zdkimfilter. The filter could either block or just omit signing --the latter to abide by the (false) belief that DKIM-signed implies verified From:. How about the following syntax? # these authenticated users can use whatever they want always_allow [email protected] *@example.net # ditto for these, who in addition will have their mail DKIM-signed always_sign [email protected] *@*.edu # mail from users whose authenticated-id matches alias.*@example.com # is going to be allowed and DKIM-signed if the From: (or MAILFROM?) # matches any of the subsequent patterns sign_if_match alias.*@example.com *@example.com postmaster@* *.trashmail.net In fact, an auth-id doesn't have to be the same as the user-id that a user supplies along with the password. auth-id's are only visible in Courier's Received: header fields (and zdkimfilter has an option to hide them.) That is, altering an auth-id is likely going to be unnoticed by the corresponding user. So, it can as well be used by a filter to derive permissions as in the third syntax above. Isn't that overly complicated? Just thinking aloud... Ale -- ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
