On Mon, Sep 16, 2013 at 08:35:16AM -0400, Wietse Venema wrote:
> If you want to reject authenticated sender/login mis-matches only
> for sender addresses in $smtpd_sender_login_maps, then that would
> have to be a completely different feature, with a clear name, and
> with clearly defined semantics.
>
> reject_something_here_that_doesnt_confuse_the_hell_out_of_real_humans
> Reject the request when the client is (SASL) logged in, but
> the MAIL FROM address is owned by a different client login
> name according to $smtpd_sender_login_maps.
Perhaps:
reject_restricted_sender_misuse
Patch below, potentially subject to replacement of the above name with
something more obvious.
--
Viktor.
---
mantools/postlink | 1 +
proto/SASL_README.html | 3 ++-
proto/postconf.proto | 7 +++++++
src/global/mail_params.h | 2 ++
src/smtpd/smtpd_check.c | 15 ++++++++++++---
5 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/mantools/postlink b/mantools/postlink
index 6da58ae..74838b1 100755
--- a/mantools/postlink
+++ b/mantools/postlink
@@ -898,6 +898,7 @@ while (<>) {
s;\bcheck_sender_ns_access\b;<a
href="postconf.5.html#check_sender_ns_access">$&</a>;g;
s;\b(reject_authenti)([-</bB>]*\n*[
<bB>]*)(cated_sender_login_mismatch)\b;<a
href="postconf.5.html#reject_authenticated_sender_login_mismatch">$1<\/a>$2<a
href="postconf.5.html#reject_authenticated_sender_login_mismatch">$3</a>;g;
s;\breject_non_fqdn_sender\b;<a
href="postconf.5.html#reject_non_fqdn_sender">$&</a>;g;
+ s;\breject_restricted_sender_misuse\b;<a
href="postconf.5.html#reject_restricted_sender_misuse">$&</a>;g;
s;\breject_rhsbl_sender\b;<a
href="postconf.5.html#reject_rhsbl_sender">$&</a>;g;
s;\breject_sender_login_mis[-</bB>]*\n*[ <bB>]*match\b;<a
href="postconf.5.html#reject_sender_login_mismatch">$&</a>;g;
s;\breject_unauthenticated_sender_login_mismatch\b;<a
href="postconf.5.html#reject_unauthenticated_sender_login_mismatch">$&</a>;g;
diff --git a/proto/SASL_README.html b/proto/SASL_README.html
index 49e7fb7..c7134b4 100644
--- a/proto/SASL_README.html
+++ b/proto/SASL_README.html
@@ -1450,7 +1450,8 @@ restriction above will reject the sender address in the
MAIL FROM
command if <code>smtpd_sender_login_maps</code> does not specify
the SMTP client's login name as an owner of that address. </p>
-<p> See also <code>reject_authenticated_sender_login_mismatch</code> and
+<p> See also <code>reject_authenticated_sender_login_mismatch</code>,
+<code>reject_restricted_sender_misuse</code>, and
<code>reject_unauthenticated_sender_login_mismatch</code> for additional
control over the SASL login name and the envelope sender. </p>
diff --git a/proto/postconf.proto b/proto/postconf.proto
index c4b6c53..bc70e1f 100644
--- a/proto/postconf.proto
+++ b/proto/postconf.proto
@@ -6299,6 +6299,13 @@ fully-qualified domain form, as required by the RFC.
<br> The
non_fqdn_reject_code parameter specifies the response code for
rejected requests (default: 504). </dd>
+<dt><b><a
name="reject_restricted_sender_misuse">reject_restricted_sender_misuse</a></b></dt>
+
+<dd>Reject the request when the client is (SASL) logged in, but the
+MAIL FROM address is owned by a different client login name according
+to $smtpd_sender_login_maps. This feature is available in
+Postfix version 2.11 and later. </dd>
+
<dt><b><a name="reject_rhsbl_sender">reject_rhsbl_sender
<i>rbl_domain=d.d.d.d</i></a></b></dt>
<dd>Reject the request when the MAIL FROM domain is listed with
diff --git a/src/global/mail_params.h b/src/global/mail_params.h
index 93d2c35..a3dadaa 100644
--- a/src/global/mail_params.h
+++ b/src/global/mail_params.h
@@ -1591,6 +1591,8 @@ extern char *var_smtpd_snd_auth_maps;
#define REJECT_SENDER_LOGIN_MISMATCH "reject_sender_login_mismatch"
#define REJECT_AUTH_SENDER_LOGIN_MISMATCH \
"reject_authenticated_sender_login_mismatch"
+#define REJECT_RESTRICTED_SENDER_MISUSE \
+ "reject_restricted_sender_misuse"
#define REJECT_UNAUTH_SENDER_LOGIN_MISMATCH \
"reject_unauthenticated_sender_login_mismatch"
diff --git a/src/smtpd/smtpd_check.c b/src/smtpd/smtpd_check.c
index a27dc70..343f41a 100644
--- a/src/smtpd/smtpd_check.c
+++ b/src/smtpd/smtpd_check.c
@@ -3461,7 +3461,7 @@ static int reject_maps_rbl(SMTPD_STATE *state)
/* reject_auth_sender_login_mismatch - logged in client must own sender
address */
-static int reject_auth_sender_login_mismatch(SMTPD_STATE *state, const char
*sender)
+static int reject_auth_sender_login_mismatch(SMTPD_STATE *state, const char
*sender, int allow_unowned)
{
const RESOLVE_REPLY *reply;
const char *owners;
@@ -3487,7 +3487,8 @@ static int reject_auth_sender_login_mismatch(SMTPD_STATE
*state, const char *sen
}
}
myfree(saved_owners);
- }
+ } else if (allow_unowned)
+ return (SMTPD_CHECK_DUNNO);
if (!found)
return (smtpd_check_reject(state, MAIL_ERROR_POLICY, 553, "5.7.1",
"<%s>: Sender address rejected: not owned by user %s",
@@ -4017,7 +4018,15 @@ static int generic_checks(SMTPD_STATE *state, ARGV
*restrictions,
#ifdef USE_SASL_AUTH
if (var_smtpd_sasl_enable) {
if (state->sender && *state->sender)
- status = reject_auth_sender_login_mismatch(state,
state->sender);
+ status = reject_auth_sender_login_mismatch(state,
state->sender, 0);
+ } else
+#endif
+ msg_warn("restriction `%s' ignored: no SASL support", name);
+ } else if (strcasecmp(name, REJECT_RESTRICTED_SENDER_MISUSE) == 0) {
+#ifdef USE_SASL_AUTH
+ if (var_smtpd_sasl_enable) {
+ if (state->sender && *state->sender)
+ status = reject_auth_sender_login_mismatch(state,
state->sender, 1);
} else
#endif
msg_warn("restriction `%s' ignored: no SASL support", name);
--
1.7.9.6 (Apple Git-31.1)
