Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
smtpd_sender_restrictions some help needed
3 views
Skip to first unread message
Per olof Ljungmark
Mar 17, 2013, 4:48:36 AM3/17/13
to
Hi all,
We've had a working configuration since a few years where we allow
authenticated users to relay mail even if the sender address does not
match a local user and the recipient is non-local.
Now this is about to change.
So, if the sender is *authenticated*:
- from local-user@local-domain to nonlocal@: allowed
- from nonlocal@ to local-user@local-domain: allowed obviously
- from nonlocal@ to nonlocal@: disallowed
Currently we have
smtpd_sender_restrictions =
hash:/usr/local/etc/postfix/access,
permit_sasl_authenticated,
permit_mynetworks,
reject_unknown_sender_domain,
reject_unauth_destination
All local users are in a ldap table.
Can we use for example "check_sender_access"
and if the user is authenticated *and* the users email or alias matches
MAIL FROM in the ldap lookup give it an OK?
reject_sender_login_mismatch I guess is a possible candidate but then
the problem is MUA's where the user has several incoming accounts but
just one outgoing server configured and there are quite a few such.
I'm still wading through the Postfix docs trying to get a grip on it but
if someone already did it I would be very grateful for a piece of
information... have to admit it feels a bit tricky.
Thank you!
//per
--
BSDLabs AB
Registered in Solna, Sweden
We've had a working configuration since a few years where we allow
authenticated users to relay mail even if the sender address does not
match a local user and the recipient is non-local.
Now this is about to change.
So, if the sender is *authenticated*:
- from local-user@local-domain to nonlocal@: allowed
- from nonlocal@ to local-user@local-domain: allowed obviously
- from nonlocal@ to nonlocal@: disallowed
Currently we have
smtpd_sender_restrictions =
hash:/usr/local/etc/postfix/access,
permit_sasl_authenticated,
permit_mynetworks,
reject_unknown_sender_domain,
reject_unauth_destination
All local users are in a ldap table.
Can we use for example "check_sender_access"
and if the user is authenticated *and* the users email or alias matches
MAIL FROM in the ldap lookup give it an OK?
reject_sender_login_mismatch I guess is a possible candidate but then
the problem is MUA's where the user has several incoming accounts but
just one outgoing server configured and there are quite a few such.
I'm still wading through the Postfix docs trying to get a grip on it but
if someone already did it I would be very grateful for a piece of
information... have to admit it feels a bit tricky.
Thank you!
//per
--
BSDLabs AB
Registered in Solna, Sweden
Ansgar Wiechers
Mar 17, 2013, 6:05:59 AM3/17/13
to
Enable submission (port 587) with authentication required, and remove
permit_sasl_authenticated from the smtpd instance on port 25. For the
submission port you could enable reject_sender_login_mismatch to
restrict senders to their own sender address. If you want them to be
able to use arbitrary addresses for mail sent to local recipients,
but disallow non-local sender addresses for outbound mail, you'll
probably have to use a policy service.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
0 new messages