I'm trying to RTFS now, but I'm not a programmer...
On 2022-05-04 at 12:20:49 UTC-0400 (Wed, 4 May 2022 18:20:49 +0200) Matus
UHLAR - fantomas <[email protected]> is rumored to have said:
May 1 02:04:15 fantomas postfix/smtpd[31415]: warning:
restriction `reject_authenticated_sender_login_mismatch'
ignored: no SASL support
May 1 02:04:15 fantomas postfix/smtpd[31415]: warning:
restriction `reject_unauthenticated_sender_login_mismatch'
ignored: no SASL support
- do I need to explicitly enable SASL on port 25 in order to be
able to regulate the sender addresses for users?
how does reject_unauthenticated_sender_login_mismatch work then?
does it only work when authentication is enabled but the user hasn't
authenticated?
according to src/smtpd/smtpd_check.c it works like that:
reject_unauthenticated_sender_login_mismatch needs auth enabled and user not
logged in.
Typically you will not support SASL authentication on port 25
because port 25 is for mail from non-local, unfamiliar senders.
I guess this is why I haven't SASL enabled on port 25 :-)
perhaps I could enable authentication via smtpd_sasl_auth_enable
while disabling it by having AUTH in smtpd_discard_ehlo_keywords and
smtpd_command_filter?
I'm lost as to WHY you want to use a login mismatch test on a service
with no logins. There are better ways to control inbound forgeries.
I configured reject_sender_login_mismatch in main.cf and expected it to
restrict protected sender addresses, no matter where the client connects to,
authenticated or or not.
Also why I'm curious why you're trying to use a restriction that is
defined as requiring authentication IDs.
I didn't expect rejecting unauthenticated clients to require authentication.
3. reject_known_sender_login_mismatch
Apply the reject_sender_login_mismatch restriction only to
MAIL FROM addresses that are known in
$smtpd_sender_login_maps. This feature is available in
Postfix version 2.11 and later.
- how is this different from other reject_*sender_login_mismatch?
This only rejects mismatches of *known* sender addresses. It will
not reject users sending mail from a sender address not listed at
all in $smtpd_sender_login_maps.
note that this is mentioned in reject_sender_login_mismatch:
"Reject the request when $smtpd_sender_login_maps specifies an owner for the
MAIL FROM address,"
and I can't see the difference between this and
"Apply the reject_sender_login_mismatch restriction only to MAIL FROM
addresses that are known in $smtpd_sender_login_maps."
so, reject_known_sender_login_mismatch only handles addresses listed
in smtpd_sender_login_maps
while reject_sender_login_mismatch handles addresses not listed
there there?
Yes.
which are they?
Addresses you don't know about. Non-existent addresses. Addresses you
haven't set up a mapping for.
non-existing and unknown addresses can hardly be listed in
smtpd_sender_login_maps so I can't exactly see how they are protected.
(and RTFS didn't help me)
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.
