On 2022-05-04 at 12:20:49 UTC-0400 (Wed, 4 May 2022 18:20:49 +0200)
Matus UHLAR - fantomas <[email protected]>
is rumored to have said:
I have tried to restrict users only to be able to send mail with
their own e-mail addresses.
(I am aware of difference between envelope from: and header From:
but I have to start somewhere).
after reading smtpd_sender_login_maps and
reject_sender_login_mismatch I thought I need to map all protected I
have set up:
smtpd_sender_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_sender_login_mismatch
what I see in logs:
May 1 02:04:15 fantomas postfix/smtpd[31415]: warning: restriction
`reject_authenticated_sender_login_mismatch' ignored: no SASL
support
May 1 02:04:15 fantomas postfix/smtpd[31415]: warning: restriction
`reject_unauthenticated_sender_login_mismatch' ignored: no SASL
support
1.
- do I need to explicitly enable SASL on port 25 in order to be able
to regulate the sender addresses for users?
On 04.05.22 13:59, Bill Cole wrote:
To regulate the sender address based on a SASL authentication
identity, you need to know a SASL authentication identity.
how does reject_unauthenticated_sender_login_mismatch work then?
does it only work when authentication is enabled but the user hasn't
authenticated?
Typically you will not support SASL authentication on port 25 because
port 25 is for mail from non-local, unfamiliar senders.
I guess this is why I haven't SASL enabled on port 25 :-)
perhaps I could enable authentication via smtpd_sasl_auth_enable while
disabling it by having AUTH in smtpd_discard_ehlo_keywords and
smtpd_command_filter?
isn't this what reject_unauthenticated_sender_login_mismatch does?
reject_unauthenticated_sender_login_mismatch enforces the restrictions
defined in smtpd_sender_login_maps only against unauthenticated
clients, so smtpd_sender_login_maps is really just a list of sender
addresses that require authentication, but don't care about the SASL
AuthID.
as I said, the clients on port 25 are unauthenticated - that's why I'm
curious why smtpd complaind about no SASL support.
2. reject_sender_login_mismatch
Reject the request when $smtpd_sender_login_maps specifies an owner
for the MAIL FROM address, but the client is not (SASL) logged in as that
MAIL FROM address owner; or when the client is (SASL) logged in, but the
client login name doesn't own the MAIL FROM address according to
$smtpd_sender_login_maps.
- do I understand this correctly as two alternative ways of explaining
"you can send mail from [email protected] only if it's in
smtpd_sender_login_maps and lists your username"?
Yes, but it is a bit more precise in describing both the case where
the user has authenticated and the case where they have not. Note that
a sender address that is listed may ONLY be used by an authenticated
user, and that unauthenticated users are rejected if they try to send
as any listed sender.
so it's "not logged in as the owner or logged in, not as the owner".
Since I got the two messages above by using single
reject_sender_login_mismatch, I assume it behaves as using both
reject_unauthenticated_sender_login_mismatch
+ reject_authenticated_sender_login_mismatch
I was just curious if it has meaning I haven't seen.
3. reject_known_sender_login_mismatch
Apply the reject_sender_login_mismatch restriction only to MAIL
FROM addresses that are known in $smtpd_sender_login_maps. This
feature is available in Postfix version 2.11 and later.
- how is this different from other reject_*sender_login_mismatch?
This only rejects mismatches of *known* sender addresses. It will not
reject users sending mail from a sender address not listed at all in
$smtpd_sender_login_maps.
so, reject_known_sender_login_mismatch only handles addresses listed in
smtpd_sender_login_maps
while reject_sender_login_mismatch handles addresses not listed there there?
which are they?
Is there e.g. a default mapping like "[email protected] [email protected]"
that allows using address equal to own username then?
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
