On 2022-05-04 at 12:20:49 UTC-0400 (Wed, 4 May 2022 18:20:49 +0200)
Matus UHLAR - fantomas <[email protected]>
is rumored to have said:
Hello,
I have tried to restrict users only to be able to send mail with their
own e-mail addresses.
(I am aware of difference between envelope from: and header From: but
I have to start somewhere).
after reading smtpd_sender_login_maps and reject_sender_login_mismatch
I thought I need to map all protected I have set up:
smtpd_sender_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_sender_login_mismatch
what I see in logs:
May 1 02:04:15 fantomas postfix/smtpd[31415]: warning: restriction
`reject_authenticated_sender_login_mismatch' ignored: no SASL support
May 1 02:04:15 fantomas postfix/smtpd[31415]: warning: restriction
`reject_unauthenticated_sender_login_mismatch' ignored: no SASL
support
1.
- do I need to explicitly enable SASL on port 25 in order to be able
to regulate the sender addresses for users?
To regulate the sender address based on a SASL authentication identity,
you need to know a SASL authentication identity.
Typically you will not support SASL authentication on port 25 because
port 25 is for mail from non-local, unfamiliar senders. Another way to
attack the problem is to deploy a milter or policy daemon to enforce SPF
on port 25, and publish suitable SPF records for your domains with a
'-all' default.
isn't this what reject_unauthenticated_sender_login_mismatch does?
reject_unauthenticated_sender_login_mismatch enforces the restrictions
defined in smtpd_sender_login_maps only against unauthenticated clients,
so smtpd_sender_login_maps is really just a list of sender addresses
that require authentication, but don't care about the SASL AuthID.
2. reject_sender_login_mismatch
Reject the request when $smtpd_sender_login_maps specifies an
owner for the MAIL FROM address, but the client is not (SASL)
logged in as that MAIL FROM address owner; or when the client is
(SASL) logged in, but the client login name doesn't own the MAIL
FROM address according to $smtpd_sender_login_maps.
- do I understand this correctly as two alternative ways of explaining
"you can send mail from [email protected] only if it's in
smtpd_sender_login_maps and lists your username"?
Yes, but it is a bit more precise in describing both the case where the
user has authenticated and the case where they have not. Note that a
sender address that is listed may ONLY be used by an authenticated user,
and that unauthenticated users are rejected if they try to send as any
listed sender.
3. reject_known_sender_login_mismatch
Apply the reject_sender_login_mismatch restriction only to MAIL
FROM addresses that are known in $smtpd_sender_login_maps. This
feature is available in Postfix version 2.11 and later.
- how is this different from other reject_*sender_login_mismatch?
This only rejects mismatches of *known* sender addresses. It will not
reject users sending mail from a sender address not listed at all in
$smtpd_sender_login_maps.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
