On 09/08/2010 12:36 AM, Jan-Frode Myklebust wrote:
On Tue, Sep 07, 2010 at 08:20:36PM +0200, Jeroen Geilman wrote:
On 09/07/2010 06:57 PM, mouss wrote:

OP is an ISP providing outbound relay to residential users. his
problem is not easy to solve.


Thanks for understanding. I´ve gotten information off list that gmail
are setting the sender to the gmail authenticated user when sending from
non-gmail addresses. So I´m at least not alone in thinking this should
be a good solution.

Also I believe you have to pre-register any address you want to send
from trough gmail, which sounds like we could use postfix´
smtpd_sender_login_maps to implement a similar solution.



Residential users don't often have their own mail servers/domains.
Limiting these to sending with their true ISP address is fairly common.
(And just about the only sane way to implement this kind of relay)

In Norway all/most ISPs are forcing their residential users trough the
ISP`s smarthosts. Outgoing port 25/tcp is blocked. So users are not
allowed to run their own mailservers. I can´t justify also requiring
all users to use the ISP´s mail addresses.


   -jf

Hi,

iam running a small ISP here in egypt and we are using smtpd_sender_login maps to prevent anyone unauthenticated to send from email addresses they don't own, it works very well and postifix responds with an error "address not owned by user".

one challenge we faced was that the database query has to include all aliases which are registered for the authenticated username (in our case the email) but this is no problem with some smart views on your database table.

so set smtpd_sender_login_maps = proxy:pgsql:/path.cf

and then in smtpd_sender_restrictions = reject_sender_login_mismatch

and you are done.

PS: you should of course separate the incoming client mail and the domain domain mail transfers, so for example mailserver to mailserver uses port 25 where this policy is not applied and clients use port 587 submission where this policy is applied.

Frank


Reply via email to