On 7 Jun 2018, at 12:07, Marek Kozlowski wrote:
:-)
I have all users in an LDAP database and store users' aliases,
virtuals, canonicals, forwards etc as attributes. For that purpose
using the `reject_sender_login_mismatch' seems to be a simple and
powerful solution for increasing security and I'm using it. Excluding
some e-mail addresses from this restriction if necessary is not a
problem. The problem is:
I'd like to allow sending mail from some certain hosts as some certain
users without SASL authentication. Let's say:
[email protected] from host1.mydomain.com
[email protected] from host2.mydomain.com
[email protected] from host3.mydomain.com
That is: any process running on `host1' may send e-mail as `user1'
(and only that user!) without SASL authentication but e-mails from
`user1' from any other host require SASL authentication as `user1'.
Same for `user2' and `user3'. I can find solutions for host
exceptions. I can find solutions for user exceptions. Unfortunately I
cannot find a solution that combines both. May I ask for a suggestion?
Look at the "Restriction Class" feature. See
http://www.postfix.org/RESTRICTION_CLASS_README.html
Effectively, restriction classes are a way of applying distinct sets of
restrictions (i.e. entries that can exist in smtpd_*_restrictions lists)
to various sets of users. So you might have something like:
main.cf:
smtpd_restriction_classes = user1,user2,user3
user1 = check_client_access inline:{ host1.mydomain.com=permit }
user2 = check_client_access inline:{ host2.mydomain.com=permit }
user3 = check_client_access inline:{ host3.mydomain.com=permit }
smtpd_recipient_restrictions = [...] permit_sasl_authenticated
check_sender_access inline:{[email protected]=user1,
[email protected]=user2, [email protected]=user2}
[...]
