|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Victor Duchovni (Victor.Duchovni
morganstanley.com)
Date: Tue Apr 01 2008 - 09:33:30 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Apr 01, 2008 at 07:07:21AM +0200, Patrick Ben Koetter wrote:
> * James Devine <fxmuldergmail.com>:
> > Alright, I was able to get the multiple instances working and that seems to
> > work just fine. I am now trying to get each to authenticate via
> > sasl->pam->ldap. The authentication seems to work fine but I would like to
> > be able to lock down each instance to the realm it is dedicated to, for
> > example if domain1 is tied to instance1 and domain2 is tied to instance2 I
> > would like to ensure that someone on domain1 doesn't authenticate via
> > instance2. Does anyone know if here is a way to attach additional
> > information to the authentication request or alter it to remove any realm
> > information and attach my own?
>
> There's no way you can strip off or alter the realm. It the client sends a
> realm it will pass and will be used. Only if the realm would not be sent,
> Postfix might add $smtpd_sasl_local_domain.
One variant of the question is how to configure the SASL backend for a
given Postfix instance to only support users in a given realm. If
the instance cannot authenticate users in the "wrong" realm, the OPs
problem is solved.
Postfix itself has no support for filtering the user realm. With GSSAPI
(really Kerberos V under the hood) and cross-realm keys configured between
suitable KDCs, it is not unreasonable to be able to restrict which realms
are authorized to relay and which not (mere authentication, does not
necessarily imply authorization). Perhaps some day there will be features
to make more fine-grained use of the SASL user/realm in Postfix.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]