On Mon, Sep 16, 2013 at 11:24:12AM -0400, Wietse Venema wrote:
> > So I think putting "sender" first and indicating that *only*
> > listed senders are in scope makes sense:
> >
> > reject_restricted_sender_wrong_login
> >
> > this should likely automatically imply reject_unauth_sender_login_mismatch
> > (to protect said restricted sender addresses from misuse when the
> > client does not authenticate). (Thus a small change in the proposed code).
>
> I think the following introduces the least amount of confusion.
>
> reject_sender_login_mismatch
> [this definition does not change]
>
> reject_authenticated_sender_login_mismatch
> Apply the reject_sender_login_mismatch restriction
> only to clients that are SASL-authenticated.
>
> reject_unauthenticated_sender_login_mismatch
> Apply the reject_sender_login_mismatch restriction
> only to clients that are not SASL-authenticated.
>
> reject_known_sender_login_mismatch
> Apply the reject_sender_login_mismatch restriction only to
> MAIL FROM addresses that are known in $smtpd_sender_login_maps.
This works for me, and also sensibly applies to both authenticated
and unauthenticated clients.
--
Viktor.
mantools/postlink | 1 +
proto/SASL_README.html | 3 ++-
proto/postconf.proto | 6 ++++++
src/global/mail_params.h | 2 ++
src/smtpd/smtpd_check.c | 19 ++++++++++++++++---
5 files changed, 27 insertions(+), 4 deletions(-)
diff --git a/mantools/postlink b/mantools/postlink
index 6da58ae..f038fb6 100755
--- a/mantools/postlink
+++ b/mantools/postlink
@@ -897,6 +897,7 @@ while (<>) {
s;\bcheck_sender_mx_access\b;<a
href="postconf.5.html#check_sender_mx_access">$&</a>;g;
s;\bcheck_sender_ns_access\b;<a
href="postconf.5.html#check_sender_ns_access">$&</a>;g;
s;\b(reject_authenti)([-</bB>]*\n*[
<bB>]*)(cated_sender_login_mismatch)\b;<a
href="postconf.5.html#reject_authenticated_sender_login_mismatch">$1<\/a>$2<a
href="postconf.5.html#reject_authenticated_sender_login_mismatch">$3</a>;g;
+ s;\breject_known_sender_login_mismatch\b;<a
href="postconf.5.html#reject_known_sender_login_mismatch">$&</a>;g;
s;\breject_non_fqdn_sender\b;<a
href="postconf.5.html#reject_non_fqdn_sender">$&</a>;g;
s;\breject_rhsbl_sender\b;<a
href="postconf.5.html#reject_rhsbl_sender">$&</a>;g;
s;\breject_sender_login_mis[-</bB>]*\n*[ <bB>]*match\b;<a
href="postconf.5.html#reject_sender_login_mismatch">$&</a>;g;
diff --git a/proto/SASL_README.html b/proto/SASL_README.html
index 49e7fb7..b9104e2 100644
--- a/proto/SASL_README.html
+++ b/proto/SASL_README.html
@@ -1450,7 +1450,8 @@ restriction above will reject the sender address in the
MAIL FROM
command if <code>smtpd_sender_login_maps</code> does not specify
the SMTP client's login name as an owner of that address. </p>
-<p> See also <code>reject_authenticated_sender_login_mismatch</code> and
+<p> See also <code>reject_authenticated_sender_login_mismatch</code>,
+<code>reject_known_sender_login_mismatch</code>, and
<code>reject_unauthenticated_sender_login_mismatch</code> for additional
control over the SASL login name and the envelope sender. </p>
diff --git a/proto/postconf.proto b/proto/postconf.proto
index c4b6c53..d8c538d 100644
--- a/proto/postconf.proto
+++ b/proto/postconf.proto
@@ -6292,6 +6292,12 @@ feature is available in Postfix 2.1 and later. </dd>
authenticated clients only. This feature is available in
Postfix version 2.1 and later. </dd>
+<dt><b><a
name="reject_known_sender_login_mismatch">reject_known_sender_login_mismatch</a></b></dt>
+
+<dd>Apply the reject_sender_login_mismatch restriction only to MAIL
+FROM addresses that are known in $smtpd_sender_login_maps. This
+feature is available in Postfix version 2.11 and later. </dd>
+
<dt><b><a name="reject_non_fqdn_sender">reject_non_fqdn_sender</a></b></dt>
<dd>Reject the request when the MAIL FROM address is not in
diff --git a/src/global/mail_params.h b/src/global/mail_params.h
index 93d2c35..871fcc5 100644
--- a/src/global/mail_params.h
+++ b/src/global/mail_params.h
@@ -1591,6 +1591,8 @@ extern char *var_smtpd_snd_auth_maps;
#define REJECT_SENDER_LOGIN_MISMATCH "reject_sender_login_mismatch"
#define REJECT_AUTH_SENDER_LOGIN_MISMATCH \
"reject_authenticated_sender_login_mismatch"
+#define REJECT_KNOWN_SENDER_LOGIN_MISMATCH \
+ "reject_known_sender_login_mismatch"
#define REJECT_UNAUTH_SENDER_LOGIN_MISMATCH \
"reject_unauthenticated_sender_login_mismatch"
diff --git a/src/smtpd/smtpd_check.c b/src/smtpd/smtpd_check.c
index a27dc70..d9f61cb 100644
--- a/src/smtpd/smtpd_check.c
+++ b/src/smtpd/smtpd_check.c
@@ -3461,7 +3461,7 @@ static int reject_maps_rbl(SMTPD_STATE *state)
/* reject_auth_sender_login_mismatch - logged in client must own sender
address */
-static int reject_auth_sender_login_mismatch(SMTPD_STATE *state, const char
*sender)
+static int reject_auth_sender_login_mismatch(SMTPD_STATE *state, const char
*sender, int allow_unowned)
{
const RESOLVE_REPLY *reply;
const char *owners;
@@ -3487,7 +3487,8 @@ static int reject_auth_sender_login_mismatch(SMTPD_STATE
*state, const char *sen
}
}
myfree(saved_owners);
- }
+ } else if (allow_unowned)
+ return (SMTPD_CHECK_DUNNO);
if (!found)
return (smtpd_check_reject(state, MAIL_ERROR_POLICY, 553, "5.7.1",
"<%s>: Sender address rejected: not owned by user %s",
@@ -4017,7 +4018,19 @@ static int generic_checks(SMTPD_STATE *state, ARGV
*restrictions,
#ifdef USE_SASL_AUTH
if (var_smtpd_sasl_enable) {
if (state->sender && *state->sender)
- status = reject_auth_sender_login_mismatch(state,
state->sender);
+ status = reject_auth_sender_login_mismatch(state,
state->sender, 0);
+ } else
+#endif
+ msg_warn("restriction `%s' ignored: no SASL support", name);
+ } else if (strcasecmp(name, REJECT_KNOWN_SENDER_LOGIN_MISMATCH) == 0) {
+#ifdef USE_SASL_AUTH
+ if (var_smtpd_sasl_enable) {
+ if (state->sender && *state->sender) {
+ if (state->sasl_username)
+ status = reject_auth_sender_login_mismatch(state,
state->sender, 1);
+ else
+ status = reject_unauth_sender_login_mismatch(state,
state->sender);
+ }
} else
#endif
msg_warn("restriction `%s' ignored: no SASL support", name);
