Re: check_client_access using smtp auth usernames

Fri, 11 Feb 2011 01:08:47 -0800 

Thank you Noel,
After searching for a while, I found your info/solutions were complete and accurate. 


Locking sender addresses with authenticated users appears to be a good 
practice, anyway.


Here, I have two questions about reject_sender_login_mismatch:

  1. If sender is in the form "f...@example.com" and (SASL) login name
     is foo, will this lead to an "automatic" match (i.e. without using
     smtpd_sender_login_maps) or we *always* need to define an explicit
     mapping between f...@example.com and foo in smtpd_sender_login_maps?
  2. About reject_unauthenticated_sender_login_mismatch: How
     sender-login matching works with unauthenticated clients? Since
     the client is unauthenticated (so postfix doesn't know a login
     name associated with the current client) how can postfix match
     sender address with login name? It will have to drop all these
     connections?

Please, clarify.


As an alternative (which also adds a lot of functionality), I think I 
might try postfwd, which (as well as many others in the addon list you 
provided) looks promising. In our case, it seems to me that a rule to 
restrict the recipient address every...@example.com so that only 
authenticated (SASL) login names bob and alice can send to it, would be:



    id=RS_001 ; sasl_username=!!( (bob|alice) ) ; 
recipient=every...@example.com ; action=REJECT You are not allowed to 
send to this address


It appears intuitive and the rule "language" is rich.

Any comments?

Thanks again for your valuable advice.

All the best,
Nick


On 8/2/2011 1:15 πμ, Noel Jones wrote:


Postfix has no such feature.  Maybe it would be sufficient to limit 
the sender address to authenticated users with 
reject_sender_login_mismatch.  Then one could use 
smtpd_restriction_classes that first checks for the protected 
recipient, then checks for authenticated users.

http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
http://www.postfix.org/RESTRICTION_CLASS_README.html


Alternately, the sasl username is available to an external policy 
service.

http://www.postfix.org/SMTPD_POLICY_README.html

Maybe an existing policy service can be configured for this.
http://www.postfix.org/addon.html#policy


  -- Noel Jones























					Reply via email to