Hello,
Matus UHLAR - fantomas:
note that this is mentioned in reject_sender_login_mismatch:
MAIL FROM address,"
reject_sender_login_mismatch
Reject the request when $smtpd_sender_login_maps specifies an
owner for the MAIL FROM address, but the client is not (SASL)
logged in as that MAIL FROM address owner; or when the client is
(SASL) logged in, but the client login name doesn't own the MAIL
FROM address according to $smtpd_sender_login_maps.
and I can't see the difference between this and
reject_known_sender_login_mismatch
Apply the reject_sender_login_mismatch restriction only to MAIL
FROM addresses that are known in $smtpd_sender_login_maps.
On 05.05.22 14:19, Wietse Venema wrote:
The user can specify any MAIL FROM address that does not match
smtpd_sender_login_match.
On 06.05.22 11:54, Bill Cole wrote:
Non-existing/unknown addresses CAN be mapped by smtpd_sender_login_maps, as
every map type has some form of wildcarding. An address which matches in
the map is known, one which does not match in the map is unknown. Whether
the address is non-existent (i.e. cannot be delivered to) is a different
issue, and a non-existent address can be a 'known sender' in the context
of smtpd_sender_login_maps.
thanks guys, I guess I finally got it (did some testing for sure).
I would describe those directives as:
reject_unauthenticated_sender_login_mismatch
Reject sender address if it's listed in smtpd_sender_login_maps and the
client is not SASL authenticated.
This option requires SASL authentication to be enabled.
This feature is available in Postfix version 2.1 and later.
reject_authenticated_sender_login_mismatch
Reject sender address if it's listed in smtpd_sender_login_maps and the
SASL authenticated user is not listed as owner of that address.
This restriction allows users only to send mail from addresses they are
listed as owners.
This feature is available in Postfix version 2.1 and later.
reject_sender_login_mismatch
Apply restrictions described in
reject_unauthenticated_sender_login_mismatch and
reject_authenticated_sender_login_mismatch
Before postfix 2.1 those were only implemented within this restriction.
reject_known_sender_login_mismatch
Reject sender address if it's listed in smtpd_sender_login_maps and the
SASL authenticated user is not listed as its owner.
Users can still use any unlisted sender addresses.
This feature is available in Postfix version 2.11 and later.
On 05.05.22 14:19, Wietse Venema wrote:
As for rejecting 'local' sender addresses on SMTP servers that do
not enable AUTH, would it be simpler to reject local sender addresses?
I was hoping that the easiest way to block local sender addresses from
anywhere would be to simply list them once in main.cf:
smtpd_sender_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_sender_login_mismatch
smtpd_sender_login_maps = regexp:/etc/postfix/sender_login_maps.re
and put this into /etc/postfix/sender_login_maps.re:
/^([^+]*)(\+.*)?@fantomas\.sk$/ $1
...so anyone can only send mail from their own address, optionally with
"+extension" when SASL authenticated as that user.
unfortunately, neither of those restrictions work if the SASL authentication
is not enabled, so I need to block them in different way, which I find less
simple.
thank you both once more.
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
