Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

smtpd_sender_restrictions some help needed

3 views
Skip to first unread message

Per olof Ljungmark

unread,
Mar 17, 2013, 4:48:36 AM3/17/13
to
Hi all,

We've had a working configuration since a few years where we allow
authenticated users to relay mail even if the sender address does not
match a local user and the recipient is non-local.

Now this is about to change.

So, if the sender is *authenticated*:

- from local-user@local-domain to nonlocal@: allowed
- from nonlocal@ to local-user@local-domain: allowed obviously
- from nonlocal@ to nonlocal@: disallowed

Currently we have

smtpd_sender_restrictions =
hash:/usr/local/etc/postfix/access,
permit_sasl_authenticated,
permit_mynetworks,
reject_unknown_sender_domain,
reject_unauth_destination

All local users are in a ldap table.

Can we use for example "check_sender_access"
and if the user is authenticated *and* the users email or alias matches
MAIL FROM in the ldap lookup give it an OK?

reject_sender_login_mismatch I guess is a possible candidate but then
the problem is MUA's where the user has several incoming accounts but
just one outgoing server configured and there are quite a few such.

I'm still wading through the Postfix docs trying to get a grip on it but
if someone already did it I would be very grateful for a piece of
information... have to admit it feels a bit tricky.

Thank you!

//per

--
BSDLabs AB
Registered in Solna, Sweden

Ansgar Wiechers

unread,
Mar 17, 2013, 6:05:59 AM3/17/13
to
I'd recommend separating authenticated from unauthenticated submission.
Enable submission (port 587) with authentication required, and remove
permit_sasl_authenticated from the smtpd instance on port 25. For the
submission port you could enable reject_sender_login_mismatch to
restrict senders to their own sender address. If you want them to be
able to use arbitrary addresses for mail sent to local recipients,
but disallow non-local sender addresses for outbound mail, you'll
probably have to use a policy service.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

0 new messages