Re: restricting outbound e-mail to be from the authenticated user only

Mon, 31 Jan 2011 13:01:10 -0800 

On 1/31/2011 3:40 PM, Victor Duchovni wrote:

On Mon, Jan 31, 2011 at 03:32:20PM -0500, Daniel Bromberg wrote:


smtp.example.com:smtp      inet  n       -       n       -       -
smtpd
    -o content_filter=filter:dummy

smtp.example.com:smtps     inet  n       -       n       -       -
smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject

I think what you're also suggesting, then, is to put this stanza:
"smtpd_sender_login_maps = mysql:/etc/postfix/mysql_sender_login_maps.cf"
as a -o to the 'smtps' clause, instead of in the system-wide main.cf
stmpd_recipient_restrictions clause?

No, the table can be defined globally, but should typically be
"proxied" to avoid excessive database connections. Rather,
the constrant "reject_sender_login_mismatch" (or similar) should
be used in a service-specific master.cf override.

Avoid complex settings in master.cf, instead of:

     -o smtpd_client_restrictions=permit_sasl_authenticated,reject

use

     -o smtpd_client_restrictions=$submission_client_restrctions

and set "submission_client_restrictions" in main.cf.
OK, I believe this is the final draft and (near the) end of the thread, and I thank those keen observers for their forbearance. proxy_read_maps had an awful lot it in by default and I am nervous overriding it with what may be less than the bare minimum: 

main.cf
----------
[....]
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf 
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf proxy_read_maps = $local_recipient_maps $virtual_mailbox_maps $virtual_alias_maps $smtpd_sender_login_maps 
[...]
submission_client_restrictions =
   permit_sasl_authenticated,
   reject

smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject...,
   [...],
   permit


master.cf
-------------
smtp.example.com:smtp inet n - n - - smtpd 
   -o content_filter=filter:dummy

smtp.example.com:smtps     inet  n       -       n       -       -     smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=$submission_client_restrictions
  -o reject_sender_login_mismatch
[...]
filter    unix  -       n       n       -       -       pipe
flags=Rq user=spam argv=/usr/local/bin/spamc -U /tmp/spamd.sock -e /usr/sbin/sendmail -f ${sender} ${recipient} 

-Daniel

Reply via email to