Loading ...
Sorry, an error occurred while loading the content.
 

Re: reject_authenticated_sender_login_mismatch only for some logins

Expand Messages
  • mouss
    ... auth is good, but it s not enough. A compromised client can authenticate. you still need rate limits and log parsing. and if so, authentication becomes
    Message 1 of 3 , Mar 17, 2010
      ram a écrit :
      > I need to implement smtpd login maps on our postfix servers so as
      > minimize the chances of a compromised client machine screwing our smtp
      > relay.

      auth is good, but it's not enough. A compromised client can
      authenticate. you still need rate limits and log parsing. and if so,
      authentication becomes secondary...

      >
      > But this cannot be done overnight. There are various clients who use
      > different envelope sender domains (for perfectly legitimate reasons) and
      > I cannot get a mapping for all such entries.
      >
      > How can I use reject_authenticated_sender_login_mismatch only for some
      > auth logins. Especially those who insist on using some junk mailserver
      > in their offices and cannot sufficiently secure their network
      >

      you can make it a result of a check_access_*.

      but you'd better provide two different access types. a "strict" one and
      an "old" one. then enoucrage users to move to the strict one (with
      incentives...).

      >
      > So I want to say
      > if(sasl authenticated) {
      > if(suspect client login) {
      > reject_authenticated_sender_login_mismatch
      > } else {
      > allow sender_login_mismatch
      > }
      > }
      >
      >
      > Thanks
      > Ram
      >
      >
      >
      >
      >
      >
    Your message has been successfully submitted and would be delivered to recipients shortly.