On 1/16/2013 3:44 PM, Bernhard Schmidt wrote: > Am 16.01.2013 22:39, schrieb Wietse Venema: >> Bernhard Schmidt: >>> Hello, >>> >>> I did not find it in the manpage, in the odd chance I missed it, is >>> there something like check_sasl_access or check_username_access for >>> smtpd_mumble_restrictions? >>> >>> We just had a compromised account being abused for spamming. We >>> had him >>> on the radar before he even got his first mail delivered due to >>> reject_sender_login_mismatch, but >> >> Use reject_sender_login_mismatch so they must use their own sender >> address, then block that address with check_sender_access. > > Sure, that's what we did in the end, but as I said the account had > several addresses associated to. So if you miss the one they used > you are out of luck. > > Just wondered whether I missed something, you can check on almost > everything in postfix, but not the sasl_username . > > Thanks for Postfix :-) > Bernhard
The postfwd policy service is commonly recommended for ad-hoc restrictions. It's small, reliable, extremely flexible, and actively supported. It can do complex stuff such as per-sender rate limits, or simple stuff such as "hold all mail from this sasl user". http://postfwd.org/ On the other hand, it probably wouldn't be much trouble to add a check_sasl_username_access feature to postfix. If you submit a patch, including a documentation patch, I'm sure it will be considered. Consideration does not guarantee acceptance. -- Noel Jones
