On Wed, 03 Dec 2014 13:18:45 +0100 "li...@rhsoft.net" <li...@rhsoft.net> wrote:
> > Am 03.12.2014 um 13:06 schrieb mancyb...@gmail.com: > > Hi, I'm currently the following two parameters: > > > > reject_authenticated_sender_login_mismatch, > > reject_unauthenticated_sender_login_mismatch, > > > > under 'smtpd_recipient_restrictions' > > to enforce sasl username+password authentication. > > > > As you may know, M$ Exchange, when using an external SMTP, can't send > > username+password of each user > > but only 1 username+password for all the domain. > > In short, postfix must allow spoofing the username of the domain. > > > > Perhaps I'm missing something about all this, > > if not, the question is: is there a way in postfix to disable the two > > parameters above just for that domain > > (thus allowing spoofing of the username, only for that domain)? > > put the exchange host in "mynetworks" and just add "permit_mynetworks" > *before* "reject_authenticated_sender_login_mismatch" > > you don't want to do this domain based with access lists because that > can be spoofed easily Hi, my whole 'smtpd_recipient_restrictions' is: smtpd_recipient_restrictions = permit_mynetworks, check_policy_service inet:127.0.0.1:10031, check_sender_access hash:/etc/postfix/sender_access, check_recipient_access hash:/etc/postfix/check_recipient_access_skip_blacklists, reject_authenticated_sender_login_mismatch, reject_unauthenticated_sender_login_mismatch, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, check_client_access hash:/etc/postfix/rbl_override reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, this is a server with many domains and users (and filters, also custom antispam filters). Wouldn't your suggested modification disable all the rest of the processing logic ? I mean .. would reject_rbl_client zen.spamhaus.org still be considered ? If that's the case, wouldn't be easy to spoof the domain and abuse the server ? Thank you very much for supporting.
