Re: restricting outbound e-mail to be from the authenticated user only

Mon, 31 Jan 2011 12:32:44 -0800 

On 1/31/2011 7:24 AM, Noel Jones wrote:

On 1/30/2011 11:12 PM, Daniel Bromberg wrote:

Re: the From:/Reply-To cases: It seems one can write a better
regexp then given by mouss, such as including angle brackets
in the match field, or the full syntax


[the custom on this list is to bottom post]


The full possible syntax of the From: header is quite complex and 
difficult to express in a regexp.  Mouss' example is appropriate.



What is normally suggested is to put these controls on the 
submission/smtps ports and turn off SASL on the main port 25.  That 
forces the users to submission/smtps, and allow you to separate the 
controls rather than trying to make all ports work for everything.




  -- Noel Jones 



> The full possible syntax of the From: header is quite complex and 
difficult to express in a regexp.  Mouss' example is appropriate.



I can see how the possibility of embedded comments in the whitespace 
(which themselves can have quoted metacharacters) make the worst case 
complicated.  Then, it begs the question of a thorough, reliable library 
(perl? C? agonizingly careful PCRE template?)  that fits neatly into 
Postfix and can parse these fields quickly and fully up to 5322 spec 
using a formal grammar and return the meaty parts with an API. I've 
concluded for now that this need is academic for me right now, so more 
of a curiosity question.



> What is normally suggested is to put these controls on the 
submission/smtps ports and turn off SASL on the main port 25.  That 
forces the users > to submission/smtps, and allow you to separate the 
controls rather than trying to make all ports work for everything.



I already have SASL enabled only for the submission port. Here's my 
settings, please confirm (filter:dummy goes to spamc/spamd):



smtp.example.com:smtp      inet  n       -       n       -       -       
smtpd

   -o content_filter=filter:dummy


smtp.example.com:smtps     inet  n       -       n       -       -      
smtpd

  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject


I think what you're also suggesting, then, is to put this stanza: 
"smtpd_sender_login_maps = 
mysql:/etc/postfix/mysql_sender_login_maps.cf" as a -o to the 'smtps' 
clause, instead of in the system-wide main.cf 
stmpd_recipient_restrictions clause?


Thanks for the ongoing guidance,
-Daniel























					Reply via email to