OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Restrictions on localhost

From: /dev/rob0 (rob0gmx.co.uk)
Date: Sun Feb 14 2010 - 06:28:25 CST


On Sat, Feb 13, 2010 at 11:36:22AM -0500, Alex wrote:
> I have a Linux server running an older version of postfix and
> webmail for users to send mail. Since localhost is trusted in
> $mynetworks, a connection from there can send mail to any
> recipient. Since squirrelmail connects directly to localhost,
> any mail that it sends is authorized.

Squirrelmail might not be connecting to localhost at all. The more
likely default is that it uses sendmail(1) submission. That is an
all-or-nothing proposition; sendmail either takes what a given user
(in this case, your Web server's process UID) gives it, or it takes
nothing at all. See:

http://www.postfix.org/postconf.5.html#authorized_submit_users
http://www.postfix.org/sendmail.1.html

> How can I add restrictions on localhost, despite it being
> authorized, from sending mail as certain users or to certain
> recipients?

It is probable that the eventual solution to whatever problem you
encountered will be found within Squirrelmail, off topic here.

You could force the use of SMTP, and force authentication, and use
restriction classes and smtpd_sender_login_maps. I do not know if
Squirrelmail is capable of per-user AUTH. The Postfix part of it is
documented:

http://www.postfix.org/SASL_README.html
http://www.postfix.org/RESTRICTION_CLASS_README.html
http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header