OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Problem configuration: only auth user can send mail

From: Andrea Battaglia (battagliaexentrica.it)
Date: Tue Jun 20 2006 - 03:22:45 CDT

Oh, well!

For our reality we want that, We have found a solution with binding postfix
on different port.

smtp inet n - n - - smtpd
           -o content_filter=smtp-opec:[127.0.0.1]:10024

smtps inet n - n - - smtpd
           -o smtpd_client_restrictions=
           -o smtpd_tls_wrappermode=yes
           -o smtpd_sasl_application_name=smtpd
           -o smtpd_use_tls=yes
           -o transport_maps=
           -o content_filter=smtp-opec:[127.0.0.1]:10024
           -o mynetworks=192.168.20.0/24
           -o smtpd_sender_login_maps=ldap:/etc/postfix/ldap-aliases.cf
           -o
smtpd_sender_restrictions=reject_non_fqdn_sender,reject_sender_login_mismatch
           -o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unknown_sender_domain,reject_unauth_destination

What do you think about it ?

thx

andrea

On 6/19/06, Victor Duchovni < Victor.Duchovnimorganstanley.com> wrote:
>
> On Mon, Jun 19, 2006 at 08:00:01PM +0200, Andrea Battaglia wrote:
>
> > This solution permit to sending mail for any authenticate user, but
> pemit
> > that in Mail From envelop the user is different with authenticate user.
> >
> > example:
> > I log in with andreaexample.com and I can sending mail like
> > mirkoexample.com.
> >
> > What can I do ?
>
> Not much, that problem has no general solution at this time, because there
>
> are many possible legitimate reasons for the envelope sender address to
> not match the From: header.
>
> At some point (~5 years from now), you may be able to use DKIM to guard
> against header "From:" forgery.
>
> Consider that when you send mail to this list, it comes back claiming to
> be From: you, but you are not the authenticated sender.
>
> Now you might argue that an MSA (ideally separate on port 587) should
> make this check, even when MTA cannot. This is more reasonable, so long
> as none of your users are really forwarding authenticated mail from an
> MTA.
>
> The code for this would have to look at "Sender:", failing that
> "Resent-From:"
> and finally "From:". The first of these that is present would need to
> match
> the envelope sender.
>
> No such code is built-in with Postfix. You need a pre-queue content filter
> (or with Postfix 2.3 perhaps a milter) for this.
>
> --
> Viktor.
>
> P.S. Morgan Stanley is looking for a New York City based, Senior Unix
> system/email administrator to architect and sustain the Unix email
> environment. If you are interested, please drop me a note.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> <mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>