--- In [email protected], Victor Duchovni <victor.ducho...@...> wrote: > > On Mon, Jan 12, 2009 at 09:35:14PM -0800, Jeff Weinberger wrote: > > > When a sender is not authenticated, and > > reject_unauthenticated_sender_login_mismatch is specified, postfix takes > > the MAIL FROM address, looks it up in smtpd_sender_login_maps and if > > it's found, the message is rejected? > > > > Essentially the lookup is just for the existence of the MAIL FROM > > address in the smtpd_sender_login_maps table? > > Yes, that's what I said. > > > Am I then correct in concluding that with: > > > > smtpd_sender_restrictions = > > permit_sasl_authenticated, > > reject_authenticated_sender_login_mismatch, > > reject > > Observe that the order of the first two elements is not entirely > correct. > > > that the permit_sasl_autheticated obviates the need for > > reject_unauthenticated_sender_login_mismatch? > > (as there would never be an unauthenticated sender permitted...) > > Yes. this saves you a table lookup before unauthenticated senders are > rejected outright via "reject". > > > And am I also correct in concluding that if unauthenticated senders were > > allowed (as they would have to be for smtpd to accept messages from the > > internet), that reject_unauthenticated_sender_login_mismatch would > > prevent any non-authenticated sender from sending a message from (with MAIL > > FROM) any address listed in my smtpd_sender_login_maps? > > Yes, that's I said. >
I think I've misunderstood this again. here's the behavior I observed: I added -o smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch to my master.cf smtp service entry (receiving mail on port 25). It then rejected all mail. Each message was rejected because the sender was not authenticated. This is obviously undesireable behavior for this service, as I will never receive any mail. The behavior I was seeking was that it would reject messages where the MAIL FROM is one of the addresses that validly authenticates. In other words if a spammer were to forge the MAIL FROM address as one of my valid users, then send the message to that same user or any other user on my server, postfix would reject it, knowing that that particular address should be sent from a matching (smtpd_sender_login_maps) authenticated user. Further, any mail received with a MAIL FROM that is not listed in my smtpd_sender_login_maps) should then be permitted to pass, at least to the next check. Given that reject_unauthenticated_sender_login_mismatch does not produce this behavior, is there another way to produce this behavior? (with the obvious corollary - is there any reason I would not want to do so?) Thank you!!
