Loading ...
Sorry, an error occurred while loading the content.

Blocking a particular authenticated user

Expand Messages
  • Julian Cowley
    Hello, I would like to block a particular user who is authenticated using SASL from sending mail. Is there a way to do this? I found one way to do it, but it
    Message 1 of 10 , Sep 1, 2010
    • 0 Attachment
      Hello,

      I would like to block a particular user who is authenticated using
      SASL from sending mail. Is there a way to do this?

      I found one way to do it, but it is not perfect. I can block the
      the email address of that user (the one they normally use) using
      smtpd_sender_login_maps. This doesn't prevent them from using another
      email address, however.

      smtpd_recipient_restrictions =
      ...
      reject_sender_login_mismatch
      ...

      smtpd_sender_login_maps = regexp:/path/sender_login_map

      sender_login_map:

      /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN

      The unmatchable string is because I want the entry to exist for that
      email address, but I don't want to list any string that could be
      matched as a SASL username.

      Is this the right approach or have I missed something entirely?
    • Patrick Ben Koetter
      ... Where do you keep this users credentials? Disable the auth account. ... -- All technical questions asked privately will be automatically answered on the
      Message 2 of 10 , Sep 2, 2010
      • 0 Attachment
        * Julian Cowley <julian@...>:
        > Hello,
        >
        > I would like to block a particular user who is authenticated using
        > SASL from sending mail. Is there a way to do this?

        Where do you keep this users credentials? Disable the auth account.

        > I found one way to do it, but it is not perfect. I can block the
        > the email address of that user (the one they normally use) using
        > smtpd_sender_login_maps. This doesn't prevent them from using another
        > email address, however.
        >
        > smtpd_recipient_restrictions =
        > ...
        > reject_sender_login_mismatch
        > ...
        >
        > smtpd_sender_login_maps = regexp:/path/sender_login_map
        >
        > sender_login_map:
        >
        > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
        >
        > The unmatchable string is because I want the entry to exist for that
        > email address, but I don't want to list any string that could be
        > matched as a SASL username.
        >
        > Is this the right approach or have I missed something entirely?

        --
        All technical questions asked privately will be automatically answered on the
        list and archived for public access unless privacy is explicitely required and
        justified.

        saslfinger (debugging SMTP AUTH):
        <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
      • Stefan Seidel
        On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley ... Why would you use _recipient_ restrictions to block a _sender_? ... It is a good
        Message 3 of 10 , Sep 2, 2010
        • 0 Attachment
          On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley <julian@...>
          wrote:
          > Hello,
          >
          > I would like to block a particular user who is authenticated using
          > SASL from sending mail. Is there a way to do this?
          >
          > I found one way to do it, but it is not perfect. I can block the
          > the email address of that user (the one they normally use) using
          > smtpd_sender_login_maps. This doesn't prevent them from using another
          > email address, however.
          >
          > smtpd_recipient_restrictions =
          Why would you use _recipient_ restrictions to block a _sender_?

          > ...
          > reject_sender_login_mismatch
          > ...
          >
          > smtpd_sender_login_maps = regexp:/path/sender_login_map
          >
          > sender_login_map:
          >
          > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
          >
          > Is this the right approach or have I missed something entirely?

          It is a good idea to use
          smtpd_sender_restrictions = ..., reject_sender_login_mismatch, ...
          anyway, so why don't you try to introduce that, and then you can just not
          assign any sender address to this particular user, e.g.

          sender_login_maps = hash:/etc/postfix/sender_permissions

          sender_permissions:
          @... validuser1
          @... validuser2

          -> then "unwanteduser" will not be able to send from either domain,
          because it's login name does not appear in any list of allowed accounts.

          Stefan
        • Bas Mevissen
          On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley ... (...) ... It appears to me that you have a social problem (and not a technical one). So maybe seek
          Message 4 of 10 , Sep 2, 2010
          • 0 Attachment
            On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley
            <julian@...> wrote:
            > Hello,
            >
            > I would like to block a particular user who is authenticated using
            > SASL from sending mail. Is there a way to do this?
            >
            (...)

            > Is this the right approach or have I missed something entirely?

            It appears to me that you have a social problem (and not a technical
            one). So maybe seek your solution in that direction.

            Regards,

            --
            Bas
          • Julian Cowley
            ... Yes thanks, that works. Unfortunately, on our system this also disables all other services for that user such as email reading and server logins. To fix
            Message 5 of 10 , Sep 2, 2010
            • 0 Attachment
              On Thu, 2 Sep 2010, Patrick Ben Koetter wrote:
              > * Julian Cowley <julian@...>:
              > > Hello,
              > >
              > > I would like to block a particular user who is authenticated using
              > > SASL from sending mail. Is there a way to do this?
              >
              > Where do you keep this users credentials? Disable the auth account.

              Yes thanks, that works. Unfortunately, on our system this also
              disables all other services for that user such as email reading and
              server logins. To fix this, I'd need to modify the authentication
              server outside of Postfix (namely Dovecot) to reject the user somehow.

              I was hoping that there was a way solely in Postfix that would allow
              me to reject mail for a SASL login at the MAIL FROM/RCPT TO stage
              rather than the authentication stage.

              At this point, I'll just reject the user's main email address using
              check_sender_access and REJECT, which is equivalent to all the crud
              I wrote up below and would allow me to customize the message.

              > > I found one way to do it, but it is not perfect. I can block the
              > > the email address of that user (the one they normally use) using
              > > smtpd_sender_login_maps. This doesn't prevent them from using another
              > > email address, however.
              > >
              > > smtpd_recipient_restrictions =
              > > ...
              > > reject_sender_login_mismatch
              > > ...
              > >
              > > smtpd_sender_login_maps = regexp:/path/sender_login_map
              > >
              > > sender_login_map:
              > >
              > > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
              > >
              > > The unmatchable string is because I want the entry to exist for that
              > > email address, but I don't want to list any string that could be
              > > matched as a SASL username.
              > >
              > > Is this the right approach or have I missed something entirely?
            • Patrick Ben Koetter
              ... Add an additional condition if you use SQL or LDAP, something alone the lines of ... AND active= TRUE to your query. ... Clients AUTH first and then
              Message 6 of 10 , Sep 2, 2010
              • 0 Attachment
                * Julian Cowley <julian@...>:
                > On Thu, 2 Sep 2010, Patrick Ben Koetter wrote:
                > > * Julian Cowley <julian@...>:
                > > > Hello,
                > > >
                > > > I would like to block a particular user who is authenticated using
                > > > SASL from sending mail. Is there a way to do this?
                > >
                > > Where do you keep this users credentials? Disable the auth account.
                >
                > Yes thanks, that works. Unfortunately, on our system this also
                > disables all other services for that user such as email reading and
                > server logins. To fix this, I'd need to modify the authentication
                > server outside of Postfix (namely Dovecot) to reject the user somehow.

                Add an additional condition if you use SQL or LDAP, something alone the lines
                of "... AND active='TRUE'" to your query.


                > I was hoping that there was a way solely in Postfix that would allow
                > me to reject mail for a SASL login at the MAIL FROM/RCPT TO stage
                > rather than the authentication stage.

                Clients AUTH first and then they start a regular SMTP session. At least the
                ones I know...

                Why not disable AUTH in the persons client?

                p@rick


                > At this point, I'll just reject the user's main email address using
                > check_sender_access and REJECT, which is equivalent to all the crud
                > I wrote up below and would allow me to customize the message.
                >
                > > > I found one way to do it, but it is not perfect. I can block the
                > > > the email address of that user (the one they normally use) using
                > > > smtpd_sender_login_maps. This doesn't prevent them from using another
                > > > email address, however.
                > > >
                > > > smtpd_recipient_restrictions =
                > > > ...
                > > > reject_sender_login_mismatch
                > > > ...
                > > >
                > > > smtpd_sender_login_maps = regexp:/path/sender_login_map
                > > >
                > > > sender_login_map:
                > > >
                > > > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
                > > >
                > > > The unmatchable string is because I want the entry to exist for that
                > > > email address, but I don't want to list any string that could be
                > > > matched as a SASL username.
                > > >
                > > > Is this the right approach or have I missed something entirely?

                --
                All technical questions asked privately will be automatically answered on the
                list and archived for public access unless privacy is explicitely required and
                justified.

                saslfinger (debugging SMTP AUTH):
                <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
              • Julian Cowley
                ... Habit, mostly. If smtpd_delay_reject is true, which is the default, then it doesn t really matter which list you put the restrictions in. It s pretty
                Message 7 of 10 , Sep 2, 2010
                • 0 Attachment
                  On Thu, 2 Sep 2010, Stefan Seidel wrote:

                  > On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley <julian@...>
                  > wrote:
                  > > Hello,
                  > >
                  > > I would like to block a particular user who is authenticated using
                  > > SASL from sending mail. Is there a way to do this?
                  > >
                  > > I found one way to do it, but it is not perfect. I can block the
                  > > the email address of that user (the one they normally use) using
                  > > smtpd_sender_login_maps. This doesn't prevent them from using another
                  > > email address, however.
                  > >
                  > > smtpd_recipient_restrictions =
                  > Why would you use _recipient_ restrictions to block a _sender_?

                  Habit, mostly. If smtpd_delay_reject is true, which is the
                  default, then it doesn't really matter which list you put the
                  restrictions in. It's pretty common to put all of the restrictions
                  into smtpd_recipient_restrictions so that all of the restrictions
                  are in one list where they are easier to find.

                  > > ...
                  > > reject_sender_login_mismatch
                  > > ...
                  > >
                  > > smtpd_sender_login_maps = regexp:/path/sender_login_map
                  > >
                  > > sender_login_map:
                  > >
                  > > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
                  > >
                  > > Is this the right approach or have I missed something entirely?
                  >
                  > It is a good idea to use
                  > smtpd_sender_restrictions = ..., reject_sender_login_mismatch, ...
                  > anyway, so why don't you try to introduce that, and then you can just not
                  > assign any sender address to this particular user, e.g.
                  >
                  > sender_login_maps = hash:/etc/postfix/sender_permissions
                  >
                  > sender_permissions:
                  > @... validuser1
                  > @... validuser2

                  That certainly works, but not for my situation. All of my valid users
                  are under one domain (mostly), so it wouldn't scale to list all of the
                  users except one on the right-hand side.

                  > -> then "unwanteduser" will not be able to send from either domain,
                  > because it's login name does not appear in any list of allowed accounts.

                  Seems like there ought to be an easier way, but I'm not sure Postfix has
                  it yet. For now I'm using a workaround.

                  > Stefan
                • mouss
                  ... it is ok to do that. smtpd_mumble_restrictions correspond to stages, not to input fields. putting most of the checks under smtpd_recipient_restrictions is
                  Message 8 of 10 , Sep 2, 2010
                  • 0 Attachment
                    Le 02/09/2010 09:55, Stefan Seidel a écrit :
                    > On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley<julian@...>
                    > wrote:
                    >> Hello,
                    >>
                    >> I would like to block a particular user who is authenticated using
                    >> SASL from sending mail. Is there a way to do this?
                    >>
                    >> I found one way to do it, but it is not perfect. I can block the
                    >> the email address of that user (the one they normally use) using
                    >> smtpd_sender_login_maps. This doesn't prevent them from using another
                    >> email address, however.
                    >>
                    >> smtpd_recipient_restrictions =
                    > Why would you use _recipient_ restrictions to block a _sender_?
                    >

                    it is ok to do that. smtpd_mumble_restrictions correspond to stages, not
                    to input fields. putting most of the checks under
                    smtpd_recipient_restrictions is a common approach, because you have an
                    ordered linear list. (I am assuming smtpd_delay_reject=yes).
                    [snip]
                  • Noel Jones
                    ... Nitpick: You don t need smtpd_delay_reject=yes to use sender checks under smtpd_recipient_restrictions; the sender will always be available at that time.
                    Message 9 of 10 , Sep 2, 2010
                    • 0 Attachment
                      On 9/2/2010 4:51 PM, mouss wrote:
                      > Le 02/09/2010 09:55, Stefan Seidel a écrit :
                      >> On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian
                      >> Cowley<julian@...>
                      >>> smtpd_recipient_restrictions =
                      >> Why would you use _recipient_ restrictions to block a _sender_?
                      >>
                      >
                      > it is ok to do that. smtpd_mumble_restrictions correspond to
                      > stages, not to input fields. putting most of the checks under
                      > smtpd_recipient_restrictions is a common approach, because you
                      > have an ordered linear list. (I am assuming
                      > smtpd_delay_reject=yes).
                      > [snip]

                      Nitpick:

                      You don't need smtpd_delay_reject=yes to use sender checks
                      under smtpd_recipient_restrictions; the sender will always be
                      available at that time.

                      You do need smtpd_delay_reject=yes when you want to use
                      restrictions "out of order", ie. use smtpd_sender_restrictions
                      for recipient checks.

                      And yes, it is common and acceptable practice to put all
                      restrictions under smtpd_recipient_restrictions.

                      -- Noel Jones
                    • Stan Hoeppner
                      ... Not only common, but as I discovered the hard way, it s very difficult, nearly impossible, to manage some white listing scenarios if you don t put all
                      Message 10 of 10 , Sep 2, 2010
                      • 0 Attachment
                        Noel Jones put forth on 9/2/2010 5:37 PM:

                        > And yes, it is common and acceptable practice to put all restrictions
                        > under smtpd_recipient_restrictions.

                        Not only common, but as I discovered the hard way, it's very difficult,
                        nearly impossible, to manage some white listing scenarios if you don't
                        put all restrictions under smtpd_recipient_restrictions. It's logically
                        and logistically very difficult to do this using the 4 separate
                        restrictions sections.

                        IIRC, many moons ago, Noel was the OP who guided me through that, and
                        was a big help. Thanks again Noel.

                        --
                        Stan
                      Your message has been successfully submitted and would be delivered to recipients shortly.