From: Alex Satrapa (alex.satrapaapf.edu.au)
Date: Thu Nov 17 2005 - 19:41:09 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 18 Nov 2005, at 10:15, Sandy Drobic wrote:

> Monika Janek wrote:
>
>> ... What I would like is to have only people listed in
>> mynetworks be able to have my domain listed in the sender envelope
>> while
>> restricting everyone else. However, I do need to allow a few
>> exceptions
>> to clients ...
>
> So, what is in /etc/postfix/sender_access? Provided you don't use this
> file in other restrictions it should have an entry like
>
> your-domain.tld REJECT 554 Please don't claim to be your-domain.tld!
>
> If you reuse that file in other restrictions things might be a bit
> more tricky. (^-^)

What about using SASL authentication? Then you can have:

smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated reject_unknown_recipient_domain
reject_unauth_destination check_policy_service unix:private/spf

smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unknown_sender_domain reject_unknown_recipient_domain
reject_unauth_destination

I suspect I should have an extra reject on the end there somehwere.

The idea here is that anyone with an account in our SASL authentication
system can send mail to any destination from any email address they
choose - yes, it's open to abuse by authenticated users, but completely
traceable. Perhaps I should be a little pickier, and only allow sending
from a list of known addresses.

This system allows our roaming workers (myself included) to send mail
using one mail server for any account they have (one of ours, or even
an external email provider who doesn't yet use SPF and has no
authenticated sSMTP servers).

Admittedly, setting up SASL is not for the faint of heart.

Alex

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]