Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Patrick Ben Koetter (pstate-of-mind.de)
Date: Tue Aug 18 2009 - 14:09:06 CDT
* Stephan A. Rickauer <stephan.rickauerstartek.ch>:
> i'd like to protect some internal accounts as described at
> Currently, I have the following setup:
> smtpd_recipient_restrictions =
> smtpd_restriction_classes = auth_only
> auth_only =
> where protected domain says:
> mymail.com auth_only
> Now the question: In the current setup, all SASL auth'ed users can send
> mail to my protected destinations. Now I want to add a layer, so that
> SASL auth'ed users must also send from a certain domain only.
> Or even better: SASL usernames must contain a certain domain.
Take a look at these options documented in postconf(5):
smtpd_sender_login_maps (default: empty)
Optional lookup table with the SASL login names that own sender (MAIL
Specify zero or more "type:table" lookup tables. With lookups from
indexed files such as DB or DBM, or from networked tables such as NIS,
LDAP or SQL, the following search operations are done with a sender
address of userdomain:
This table lookup is always done and has the highest precedence.
This table lookup is done only when the domain part of the
sender address matches $myorigin, $mydestination, $inet_inter‐
faces or $proxy_interfaces.
This table lookup is done last and has the lowest precedence.
In all cases the result of table lookup must be either "not found" or a
list of SASL login names separated by comma and/or whitespace.
Enforces the reject_sender_login_mismatch restriction for
authenticated clients only. This feature is available in Postfix
version 2.1 and later.
Reject the request when $smtpd_sender_login_maps specifies an
owner for the MAIL FROM address, but the client is not (SASL)
logged in as that MAIL FROM address owner; or when the client is
(SASL) logged in, but the client login name doesn't own the MAIL
FROM address according to $smtpd_sender_login_maps.
Enforces the reject_sender_login_mismatch restriction for unau‐
thenticated clients only. This feature is available in Postfix
version 2.1 and later.
> I've now played for hours without any luck. Any pointers in the right
> direction are really welcomed. Whenever I add another restriction class,
> it seems the first rule wins...
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
saslfinger (debugging SMTP AUTH):