NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-03

LDAP smtpd_sender_login_maps

domain owner

From: Gary C. New (garycnewyahoo.com)
Date: Tue Mar 04 2008 - 14:46:40 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am trying to secure our postfix server from forged
UCE that originates and is destine for a domain on the
same server. From my research, the best way to
accomplish this seems to be with SMTP Auth,
reject_sender_login_mismatch, and
smtpd_sender_login_maps. The current configuration
makes use of our LDAP server for virtual_maps and we
would prefer to do the same with the
smtpd_sender_login_maps.

While we are able to configure
reject_sender_login_mismatch and ldap based
smtpd_sender_login_maps on a basic per userdomain
level, we have a number of users who have multiple
sender addresses and domains that send email through a
primary SMTP Auth'ed sender address. The current
userdomain level mapping disables these users from
sending email messages outside of the primary sender
address.

The following is our current ldap based
smtpd_sender_login_maps:

ldaploginmaps_server_host = 127.0.0.1
ldaploginmaps_server_port = 389
ldaploginmaps_bind = yes
ldaploginmaps_bind_dn =
uid=postfix,ou=admins,dc=test,dc=org
ldaploginmaps_bind_pw = ******
ldaploginmaps_timeout = 5
ldaploginmaps_search_base = dc=test,dc=org
ldaploginmaps_query_filter =
(|(mailLocalAddress=%s)(mailAlias=%s))
ldaploginmaps_result_attribute = mailRoutingAddress,
mailForwardingAddress
ldaploginmaps_lookup_wildcards = no

In the sample-smtpd.cf it shows the search order of
smtpd_sender_login_maps to be userdomain, user, and
domain, respectively. While our users have several
different user addresses, they are quite commonly
under a single domain. Would it be possible to
configure the ldap based smtpd_sender_login_maps to
match on the domain level of the search order? How
might this be accomplished?

Is the domain search part of the query_filter or the
result_attribute? Does the domain require the ""
symbol to be prepended to the domain (test.org)? If
so, how might we prepend the "" symbol to the
beginning of the domain (result_format = %d)?

We essentially want to make sure a user is SMTP
Auth'ed before they are allowed to send a message from
any user or domain on the server.

Thank you for your assistance.

Respectfully,

Gary

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]