|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Stefan Förster (cite
incertum.net)
Date: Fri May 16 2008 - 06:32:14 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hallo mouss,
* mouss <moussnetoyen.net> wrote:
> AlxFrag wrote:
>>
>> All i want to do is to relay emails from users that are SASL
>> authenticated.
>>
>> It is also desired to relay emails from users with the correct "from
>> address".
>>
>> With the current configuration when a user tries to send an email
>> using a different username that he has used to login, he gets the error:
>>
>> Failed to add recipient: testmydomain [SMTP: Invalid response code
>> received from server (code: 553, response: 5.7.1 <test1mydomain>:
>> Sender address rejected: not owned by user test)]
>>
>> The problem appears when a user has activated a forwarding mechanism
>> to a different mail server and forwarded messages are sent to my server.
>
> Enforcing authentication breaks forwarding ;-p
> There is nothing you can do about this except reject the forwarded mail
> or accepte non authenticated mail...
>
> suppose user A sends mail to an external account which forwards to user
> B (both A and B are in your domains). then your server will get mail
> with A as sender from an external MTA (which won't auth because). and
> the problem is related to B setup, so you can't just exclude A from your
> sender login maps.
>
> you can however accept unauthenticated mail from a list of MTAs, but
> that may be a lot of work...
>
>>
>> I don't know if it is possible with postfix to:
>>
>> 1) Relay emails only from sasl authenticated users,
>> 2) force the users to use their real username for sending emails,
>> 3) accept forwarded messages from other mail servers.
I may be a bit off here, but if your Postfix version is recent enough,
you could try:
,----[ man 5 postconf | less +/reject_authenticated_sender_login_mismatch ]
| reject_authenticated_sender_login_mismatch
| Enforces the reject_sender_login_mismatch restriction
| for authenticated clients only. This feature is
| available in Postfix version 2.1 and later.
`----
This way, SASL authenticated users would still have to use "their"
email address (given that reject_authenticated_sender_login_mismatch
is placed _before_ permit_sasl_authenticated). If you set mynetworks
and configure the destinations postfix is responsible for, you could
still enforce your users to do SASL and use the right sender address,
but bounces could be delivered...
Ciao
Stefan
--
Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9
FdI #247: Trace - Billiger Fortsetzungsroman. (Manfred Worm Schäfer)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]