On 2/11/2011 6:08 AM, Nikolaos Milas wrote:
Thank you Harald,
Please, let me ask for some clarifications, cause I'm confused:
If we have (SASL) UNauthenticated clients (who are allowed to
send emails from mynetworks) AND (SASL) authenticated clients
(in mynetworks or anywhere), what will happen to our
UNauthenticated clients (in mynetworks) when they try to use
as a sender a mail address included in
smtpd_sender_login_maps? They will be allowed to send or not?
So, for example, one client in mynetworks is trying to send as
f...@example.com, which is included in
smtpd_sender_login_mapsand owned by foo. Ifthe client is:
I. *NOT* (SASL) authenticated to postfix and we use:
1. reject_unauthenticated_sender_login_mismatch, it means that:
a/the client will be rejected unless it (SASL) authenticates or
b/the email will be accepted?
smtpd_sender_login_maps is only consulted for unauthenticated
connections.
If the user specifies a MAIL FROM listed in
smtpd_sender_login_maps and is not logged in, the mail will be
rejected.
http://www.postfix.org/postconf.5.html#reject_unauthenticated_sender_login_mismatch
2. reject_authenticated_sender_login_mismatch, it means that:
a/the client will be rejected unless it (SASL) authenticates or
b/the email will be accepted?
smtpd_sender_login_maps is only consulted if the user has
authenticated.
In this case (unauthenticated user, protected MAIL FROM),
smtpd_sender_login_maps is not consulted, and the mail is
accepted (but still subject to any further restrictions you
define).
3. reject_sender_login_mismatch, it means that:
a/the client will be rejected unless it (SASL) authenticates or
b/the email will be accepted?
smtpd_sender_login_maps is always consulted. If the MAIL FROM
is found there, the user must use an approved authentication name.
In this case (unauthenticated user, protected MAIL FROM), the
mail would be rejected.
II. already (SASL) authenticated to postfix and we use:
1. reject_unauthenticated_sender_login_mismatch, it means that:
a/the client (SASL) login will be checked as an owner of
f...@example.com or b/it will not be checked?
smtpd_sender_login_maps is not consulted if the user has
authenticated.
2. reject_authenticated_sender_login_mismatch, it means that:
a/the client (SASL) login will be checked as an owner of
f...@example.com or b/it will not be checked?
smtpd_sender_login_maps is checked to see if the authenticated
user is listed as valid for the given MAIL FROM.
3. reject_sender_login_mismatch, it means that:
a/the client (SASL) login will be checked as an owner of
f...@example.com or b/it will not be checked?
smtpd_sender_login_maps is always checked.
As an alternative (which also adds a lot of functionality), I think I might try
postfwd, which (as well as many others in the addon list you provided) looks
promising. In our case, it seems to me that a rule to restrict the recipient
address every...@example.com so that only authenticated (SASL) login names bob
and alice can send to it, would be:
id=RS_001 ; sasl_username=!!( (bob|alice) ) ;
recipient=every...@example.com ; action=REJECT You are not allowed to send to
this address
I don't use postfwd, but that looks worth testing.
-- Noel Jones
