On Fri, November 4, 2011 12:07 pm, Viktor Dukhovni wrote:
> If this is an MX host, you need to allow mail to your own domains > before you "reject" to, otherwise only your own users will be > able to send you email. > > Since the sender address and the SASL login account are not > necessarily the same. You also need to use > reject_authenticated_sender_login_mismatch. So the whole thing > boils down to: > > smtpd_sender_restrictions = > permit_auth_destination, > permit_mynetworks, > check_sender_access mysql:/etc/postfix/mysql_sender_access.cf, > reject_authenticated_sender_login_mismatch, > permit_sasl_authenticated > > You then also need smtpd_sender_login_maps and each authenticated user > will be constrained to only use the designated sender addresses. If that's > too much pain or is overly restrictive, perhaps as others have tried to > point out you may be solving the wrong problem, just configure the > authentication layer to lock the abused accounts and work on preventing > re-compromise of any accounts you plan to re-enable. Thanks Victor, Noel, and Reindl, for your responses. Victor, yes I figured out about reject_authenticated_sender_login_mismatch and smtpd_sender_login_maps. I'm still working that out, but I don't believe that is going to be an issue. Yes, I agree that I'm attacking the wrong end of this problem; unfortunately that's not my call. Others who 'know more' than me have made that decision. Thanks again.