|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: AlxFrag (alxfrag
gmail.com)
Date: Wed Jan 16 2008 - 03:25:57 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
mouss wrote:
> AlxFrag wrote:
>> mouss wrote:
>>> AlxFrag wrote:
>>>> mouss wrote:
>>>>> AlxFrag wrote:
>>>>>> Hi,
>>>>>>
>>>>>> i'd like to ask if it is possible to enforce the limitation
>>>>>> described in the following example:
>>>>>>
>>>>>> one of my users logs in as myusermydomain. He can send emails
>>>>>> through my mail server using any "from address" he wants.
>>>>>> Can i force him to use only the "myusermydomain" as from address
>>>>>> in order to be able to send emails through my smtp server?
>>>>>
>>>>> you need to use authentication and:
>>>>>
>>>>> http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
>>>>> http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
>>>> Thanks for your reply.
>>>>
>>>> In main.cf i've put:
>>>> *******************
>>>> smtpd_sender_restrictions=check_sender_access
>>>> hash:/etc/postfix/block_senders, hash:/etc/postfix/my_domains
>>>>
>>>> smtpd_sender_login_maps=ldap:/etc/postfix/local_recipients.cf
>>>>
>>>> smtpd_restriction_classes=verify_login
>>>>
>>>> verify_login=reject_sender_login_mismatch
>>>> *******************
>>>>
>>>> In my_domains:
>>>>
>>>> mydomain1 verify_login
>>>> mydomain2 verify_login
>>>>
>>>> Using this configuration, user1mydomain1 cannot pretend he is
>>>> user2mydomain1 or he is anyusermydomain1 or anyusermydomain2.
>>>>
>>>> The problem is that he can pretend he is anyuserany_other_domain.
>>>
>>> Then why use the restriction class...
>>>
>>> smtpd_sender_login_maps = ldap:/etc/postfix/local_recipients.cf
>>> smtpd_sende_restrictions = reject_sender_login_mismatch
>>>
>> ok,
>>
>> i've now removed the restriction class and myserdomain1 cannot
>> pretend he is anyuserany_other_domain but,
>>
>> my users cannot receive emails from other domains.
>>
>> Postfix logs show:
>>
>> Jan 15 14:13:17 posidon postfix/smtpd[4765]: NOQUEUE: reject: RCPT
>> from foreign_domain[foreign_ip]: 553 5.7.1
>> <foreign_userforeign_domain>: Sender address rejected: not logged
>> in; from=<foreign_userforeign_domain> to=<myusermydomain>
>> proto=ESMTP helo=<foreign_domain]
>>
>
> you'll need to describe your setup and site policy more precisely.
> what should be allowed and what should be denied, from where and
> whom, to where...
>
> You can use
> reject_authenticated_sender_login_mismatch.
> to only check the sender login maps for authenticated users
>
> You can apply the reject_sender_login_mismatch if the client is in
> your networks (check_client_access)
>
> You can deny relay if the sender is not in your domain
> (check_sender_access).
>
> ... etc.
>
>
reject_authenticated_sender_login_mismatch seems to work now.
The policy of the mail server is to relay authenticated users whose
"from address" is their real "from address" stored in the ldap backend.
Thanks a lot!
Alex
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]