OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Restriction class limitations

From: Wietse Venema (wietseporcupine.org)
Date: Thu May 01 2008 - 14:13:06 CDT

Glen Lee Edwards:
> > I would guess the problem is that your web server submits mail
> > using the 'sendmail' command rather than through SMTP.
> > Postfix smtpd_*_restrictions are only effective on mail
> > submitted via SMTP.
>
> Yes, that's correct. Is there a work around? I suppose I could change
> the ownership of the 'sendmail' command so the webserver can't use it
> and force everyone to use SMTP.

You don't have to change sendmail file permissions.

Instead, you can specify the "legitimate" senders with the main.cf
authorized_submit_users paramater.

        Wietse

authorized_submit_users (default: static:anyone)
       List of users who are authorized to submit mail with the sendmail(1)
       command (and with the privileged postdrop(1) helper command).

       By default, all users are allowed to submit mail. Otherwise, the real
       UID of the process is looked up in the system password file, and access
       is granted only if the corresponding login name is on the access list.
       The username "unknown" is used for processes whose real UID is not
       found in the password file. To deny mail submission access to all users
       specify an empty list.

       Specify a list of user names, "/file/name" or "type:table" patterns,
       separated by commas and/or whitespace. The list is matched left to
       right, and the search stops on the first match. A "/file/name" pattern
       is replaced by its contents; a "type:table" lookup table is matched
       when a name matches a lookup key (the lookup result is ignored). Con-
       tinue long lines by starting the next line with whitespace. Specify
       "!pattern" to exclude a user name from the list. The form "!/file/name"
       is supported only in Postfix version 2.4 and later.

       Example:

       authorized_submit_users = !www, static:all

       This feature is available in Postfix 2.2 and later.