|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: AlxFrag (alxfrag
gmail.com)
Date: Wed Jan 16 2008 - 05:50:58 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
mouss wrote:
> AlxFrag wrote:
>> mouss wrote:
>>> AlxFrag wrote:
>>>> mouss wrote:
>>>>> AlxFrag wrote:
>>>>>> mouss wrote:
>>>>>>> AlxFrag wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> i'd like to ask if it is possible to enforce the limitation
>>>>>>>> described in the following example:
>>>>>>>>
>>>>>>>> one of my users logs in as myusermydomain. He can send emails
>>>>>>>> through my mail server using any "from address" he wants.
>>>>>>>> Can i force him to use only the "myusermydomain" as from
>>>>>>>> address in order to be able to send emails through my smtp server?
>>>>>>>
>>>>>>> you need to use authentication and:
>>>>>>>
>>>>>>> http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
>>>>>>> http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
>>>>>> Thanks for your reply.
>>>>>>
>>>>>> In main.cf i've put:
>>>>>> *******************
>>>>>> smtpd_sender_restrictions=check_sender_access
>>>>>> hash:/etc/postfix/block_senders, hash:/etc/postfix/my_domains
>>>>>>
>>>>>> smtpd_sender_login_maps=ldap:/etc/postfix/local_recipients.cf
>>>>>>
>>>>>> smtpd_restriction_classes=verify_login
>>>>>>
>>>>>> verify_login=reject_sender_login_mismatch
>>>>>> *******************
>>>>>>
>>>>>> In my_domains:
>>>>>>
>>>>>> mydomain1 verify_login
>>>>>> mydomain2 verify_login
>>>>>>
>>>>>> Using this configuration, user1mydomain1 cannot pretend he is
>>>>>> user2mydomain1 or he is anyusermydomain1 or anyusermydomain2.
>>>>>>
>>>>>> The problem is that he can pretend he is anyuserany_other_domain.
>>>>>
>>>>> Then why use the restriction class...
>>>>>
>>>>> smtpd_sender_login_maps = ldap:/etc/postfix/local_recipients.cf
>>>>> smtpd_sende_restrictions = reject_sender_login_mismatch
>>>>>
>>>> ok,
>>>>
>>>> i've now removed the restriction class and myserdomain1 cannot
>>>> pretend he is anyuserany_other_domain but,
>>>>
>>>> my users cannot receive emails from other domains.
>>>>
>>>> Postfix logs show:
>>>>
>>>> Jan 15 14:13:17 posidon postfix/smtpd[4765]: NOQUEUE: reject: RCPT
>>>> from foreign_domain[foreign_ip]: 553 5.7.1
>>>> <foreign_userforeign_domain>: Sender address rejected: not logged
>>>> in; from=<foreign_userforeign_domain> to=<myusermydomain>
>>>> proto=ESMTP helo=<foreign_domain]
>>>>
>>>
>>> you'll need to describe your setup and site policy more precisely.
>>> what should be allowed and what should be denied, from where and
>>> whom, to where...
>>>
>>> You can use
>>> reject_authenticated_sender_login_mismatch.
>>> to only check the sender login maps for authenticated users
>>>
>>> You can apply the reject_sender_login_mismatch if the client is in
>>> your networks (check_client_access)
>>>
>>> You can deny relay if the sender is not in your domain
>>> (check_sender_access).
>>>
>>> ... etc.
>>>
>>>
>> reject_authenticated_sender_login_mismatch seems to work now.
>
> but they can send with whatever address if they are not authenticated.
> so you should not enable relay without auth.
>
>>
>> The policy of the mail server is to relay authenticated users whose
>> "from address" is their real "from address" stored in the ldap backend.
>>
>> Thanks a lot!
>>
>> Alex
>>
>
i'm using cyrus-sasl
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]