Hello list,
I'm using postfix 2.6.6 with cyrus-sasl (saslauthd + pam_mysql).
Everything works ok, except that I've noticed that users can login successfully
using their username with an arbitrary @domain part, that is I see login
success in 2 cases:
- username = user
- username = [email protected]
My user table contains just the user part.
How can I prevent logins in the form user@domain (i need that for further mail
processing that happens down the line)?
Thanks in advance!
Configuration follows (let me know if you need more information):
# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_min_user = yes
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
in_flow_delay = 0
inet_interfaces = <my.private.lan.ip>
inet_protocols = ipv4
local_recipient_maps =
local_transport = error:local delivery is disabled
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 27962028
mydestination =
mydomain = <domain.tld>
myhostname = <hostname.domain.tld>
mynetworks = <my.private.lan.subnet/cidr>
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
debug_peer_list,
fast_flush_domains,
mynetworks,
permit_mx_backup_networks,
qmqpd_authorized_clients,
relay_domains
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains =
relayhost = [my.relay.host.ip]
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP Service Ready
smtpd_discard_ehlo_keywords = dsn
smtpd_hard_error_limit = ${stress?10}${stress:200}
smtpd_helo_required = yes
smtpd_recipient_limit = 10000
smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
check_recipient_access hash:/etc/postfix/domain.hash,
permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_soft_error_limit = 100
smtpd_tls_cert_file = </path/to/my/cert>
smtpd_tls_key_file = </path/to/my/key>
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_scache
unknown_local_recipient_reject_code = 550
# saslauthd command line
/usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 0
# /etc/pam.d/smtp.postfix
auth required pam_mysql.so user=<user> passwd=<pass>
host=<my.auth.backend.ip> db=postfix table=User usercolumn=username
passwdcolumn=password crypt=md5 [where=User.isEnabled="1" AND
User.isDeleted="0"]
account sufficient pam_mysql.so user=<user> passwd=<pass>
host=<my.auth.backend.ip> db=postfix table=User usercolumn=username
passwdcolumn=password crypt=md5 [where=User.isEnabled="1" AND
User.isDeleted="0"]
# /etc/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
