OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: combine permit_sasl_authenticated with check_sender_access

From: Patrick Ben Koetter (pstate-of-mind.de)
Date: Tue Aug 18 2009 - 14:09:06 CDT


* Stephan A. Rickauer <stephan.rickauerstartek.ch>:
> Hi,
>
> i'd like to protect some internal accounts as described at
> http://www.postfix.org/RESTRICTION_CLASS_README.html
>
> Currently, I have the following setup:
>
> smtpd_recipient_restrictions =
> reject_unauth_pipelining
> permit_inet_interfaces
> permit_sasl_authenticated
> reject_non_fqdn_hostname
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_unauth_destination
> reject_invalid_hostname
> check_recipient_access
> hash:/usr/local/etc/postfix/protected_destinations
>
> smtpd_restriction_classes = auth_only
> auth_only =
> permit_sasl_authenticated
> reject
>
> where protected domain says:
> mymail.com auth_only
>
> Now the question: In the current setup, all SASL auth'ed users can send
> mail to my protected destinations. Now I want to add a layer, so that
> SASL auth'ed users must also send from a certain domain only.
>
> Or even better: SASL usernames must contain a certain domain.

Take a look at these options documented in postconf(5):

smtpd_sender_login_maps (default: empty)
       Optional lookup table with the SASL login names that own sender (MAIL
       FROM) addresses.

       Specify zero or more "type:table" lookup tables. With lookups from
       indexed files such as DB or DBM, or from networked tables such as NIS,
       LDAP or SQL, the following search operations are done with a sender
       address of userdomain:

       1) userdomain
              This table lookup is always done and has the highest precedence.

       2) user
              This table lookup is done only when the domain part of the
              sender address matches $myorigin, $mydestination, $inet_inter‐
              faces or $proxy_interfaces.

       3) domain
              This table lookup is done last and has the lowest precedence.

       In all cases the result of table lookup must be either "not found" or a
       list of SASL login names separated by comma and/or whitespace.

       ...

       reject_authenticated_sender_login_mismatch
              Enforces the reject_sender_login_mismatch restriction for
              authenticated clients only. This feature is available in Postfix
              version 2.1 and later.

       ...

       reject_sender_login_mismatch
              Reject the request when $smtpd_sender_login_maps specifies an
              owner for the MAIL FROM address, but the client is not (SASL)
              logged in as that MAIL FROM address owner; or when the client is
              (SASL) logged in, but the client login name doesn't own the MAIL
              FROM address according to $smtpd_sender_login_maps.

       reject_unauthenticated_sender_login_mismatch
              Enforces the reject_sender_login_mismatch restriction for unau‐
              thenticated clients only. This feature is available in Postfix
              version 2.1 and later.

>
> I've now played for hours without any luck. Any pointers in the right
> direction are really welcomed. Whenever I add another restriction class,
> it seems the first rule wins...
>
> Thanks,
> Stephan
>

--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>