From: mouss (usebsdfree.fr)
Date: Sat Sep 16 2006 - 13:05:50 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Robert Schetterer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> mouss schrieb:
>
>> Robert Schetterer wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Hi ll
>>> ist it possible to have an entry in
>>> smtpd_sender_login_maps
>>> which matches all domains in i.e $relay_domains
>>>
>>> like
>>>
>>> example.com exampleuser
>>> ** allmatcher
>>>
>>> ( i know this cant work its just for making clear what i want )
>>>
>>> without using mysql oder ldap tables
>>> i tried it with a pcre table but
>>> couldnt get it to run
>>>
>>>
>> What problem are you trying to solve? In general, general questions
>> generally get general answers :)
>>
>> - you can subject your reject_*_mismatch to a check_sender_access.
>> - you can generate the map using a script
>> - as you said, you can use sql or ldap.
>> ...
>>
>>
>> --
>> Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht
>> und ist - aktuelle Virenscanner vorausgesetzt - sauber.
>>
>>
> hi mouss, i have a backup mxserver for some domains
> some customers relay via sasl, this all works nice ( using
> smtpd_sender_login_maps )
> on the system we have a lokal account ( used to login via ssh )
> now we wanted to use this system account ( which auth is done via sasl
> pam nicely ) for deliver for all domains and sender adresses which are
> configured on the server.
> This is only for making us ( 2 OPs )the live easier only having this
> backupmxserver in our mailclient an sending with different sender
> addresses ( called idententities in thunderbird )
> after all its not a big problem, including domains to this system user
> in smtpd_sender_login_maps account works nicly , but i even thinked of ,
> if its possible to match all domains with this system user , so we dont
> have to edit the map if something changes.
> we could also use another server or the original servers, but the mxback
> still has all right mx entries , and all setup rightly , so its nice to
> use it for that stuff.
> i cant solve it with pop-before smtp cause there is no pop server, and i
> dont want install one on this machine.
> i think reject_*_mismatch to a check_sender_access will not work
> cause this would match against ips ( am i right here ? ),

No. It's a check_SENDER_access, not a check_CLIENT_access. sender is the
sender address when speaking smtp:)

> but we want
> this solution if are on the road with dynamic ip and make auth via sasl
> a script would be the right solution , but i even thinked of something
> easier, if it cant be done with some easy table edits it doesnt matter
> i only asked , if somebody of the gurus has some magic vodoo edits which
> i never thinked of
>

The following is based on my understanding. if it doesn't match what you
want, provide precisions/corrections.

1- you want to enforce sasl for relay, and you want to reject "sender
forgeries" (user authenticates correctly but uses a sender address of
someone else).

2- Each "normal" users has one login and one address.

3- N sender addresses of the form
    freebirddomain1.example, freebirddomain2.example, ...
send mail via smtp and authenticate using a single login "freebird"
(which is a unix account, and auth is performed via pam).

The first thing is to have the restriction part right. Here is the
example I am considering here.

smtpd_recipient_restrictions =
    ...
    reject_authenticated_sender_login_mismatch
    permit_sasl_authenticated
    reject_unauth_destination
    ...

Note that reject_sender_login_mismatch requires more work because it
applies to all senders, not only to those who were successfully
autheticated.

Now, if the login of foodomain.example is 'foo', whatever the domain
is, then

smtpd_sender_login_maps = pcre:$dir/sender_login

== sender_login
/^(.*)/ $1

solves your problem (be that for freebird or for normal users).

if the relationship between the address and the login for normal users
is not as simple as above, then do

smtpd_sender_login_maps =
        pcre:$dir/freebird_login
        hash:$dir/sender_login

  == freebird_login
/^(freebird)/ freebird

and put your other sender/login lines in the sender_login "as usual".

here we do not care of the domain part, so the above applies to all
users who use sasl. but this should be enough. It doesn't apply to users
who do not authenticate. but those can't relay (they can send to your
local|virtual_mailbox|virtual_alias|relay domains. but everybody can!).

PS. This doesn't reject users sending to your domains but forging their
sender address to match one of your domains. To implement this, you
would need reject_sender_login_mismatch. but then you can't use the pcre
maps shown above directly. Also, this breaks forwarding or mail sent
by your telecommuters using another ISP. but if you insist on this,
just ask...

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]