OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Question about reject_unauthenticated_sender_login_mismatch

From: mouss (moussml.netoyen.net)
Date: Tue Jan 13 2009 - 14:40:07 CST


jeff_homeip a écrit :
> --- In postfixyahoogroups.com, Victor Duchovni <Victor.Duchovni...> wrote:
>[snip]
>>> Am I then correct in concluding that with:
>>>
>>> smtpd_sender_restrictions =
>>> permit_sasl_authenticated,
>>> reject_authenticated_sender_login_mismatch,
>>> reject
>> Observe that the order of the first two elements is not entirely
>> correct.
>>

I hope you didn't miss this.

in your restrictions, reject_authenticated_* is useless, because
authenticated transactions have been permitted by permit_sasl_authenticated.

or did you mean reject_UNauthenticated_*?

>
> thank you for confirming, and allowing my still-growing knowledge of postfix to confirm
> your answers. this will help quite a lot!
>

to sum up:

- if fooexample.com can only be used by user 'foo', then use
reject_sender_login_mismatch.

- if fooexample.com must be authenticated (but you don't care who the
user is), then use reject_unauthenticated_*

- if fooexample.com can be used (without auth) OR (if auth'ed, the user
must be 'foo'), then use reject_authenticated_*.

<advanced> (skip if not confident...)
you can implement this on a per sender basis using a check_sender_access
with a map that returns one of the above depending on the sender.

for example:

smtpd_sender_restrictions =
        check_sender_access hash:/etc/postfix/access_sender_login

== access_sender_login:
joeexample.com reject_sender_login_mismatch
jimexample.com reject_authenticated_sender_login_mismatch
janeexample.com reject_unauthenticated_sender_login_mismatch
fooexample.com DUNNO
example.com reject_sender_login_mismatch
</advanced>