Loading ...
Sorry, an error occurred while loading the content.

292042Re: smtpd_sender_restrictions some help needed

Expand Messages
  • Per olof Ljungmark
    Mar 18, 2013
      On 2013-03-18 17:55, Per olof Ljungmark wrote:
      > On 2013-03-18 12:07, Wietse Venema wrote:
      >> Per olof Ljungmark:
      >>>> I'd recommend separating authenticated from unauthenticated submission.
      >>>> Enable submission (port 587) with authentication required, and remove
      >>>> permit_sasl_authenticated from the smtpd instance on port 25. For the
      >>>> submission port you could enable reject_sender_login_mismatch to
      >>>> restrict senders to their own sender address. If you want them to be
      >>>> able to use arbitrary addresses for mail sent to local recipients,
      >>>> but disallow non-local sender addresses for outbound mail, you'll
      >>>> probably have to use a policy service.
      >>> Thank you for the tip. Then I have to figure out how to separate the two
      >>> rulesets which I yet did not discover in the docs.
      >>> Unfortunately we do have clients still using port 465 for sending so not
      >>> sure if it is even possible.
      >>> No other way to achieve this?
      >> Separate your mail streams:
      >> MTAs talk to port 25.
      >> MUAs talk to port 587 (465 if they are pre-historic).
      >> If that is not possible use DNS to separate the streams:
      >> MTAs use MX records. Use a separate IP address for MTA service.
      >> MUAs use A records. Use a separate IP address for MUA service.
      >> Or at least that's what is supposed to happen.
      >> Wietse
      > If we do not implement this case:
      > (authenticated client assumed)
      > - from nonlocal@ to local-user@local-domain
      > Would "reject_sender_login_mismatch" do the job together with
      > "smtpd_sender_login_maps"? Here we could match username with MAIL FROM:,
      > at least as I understood from a quick read, although it must suffice
      > that the domain part matches.

      "although it must suffice that the domain part matches."

      Forget that part, I was thinking backwards...

      > Then we just have to fix multi-account MUA's to use different logins for
      > different accounts.
      > This rule does not have any impact on non-authenticated clients also.
      > If this works I'm inclined to use this alternative instead.
    • Show all 6 messages in this topic