Loading ...
Sorry, an error occurred while loading the content.

Re: Blocking a particular authenticated user

Expand Messages
  • Patrick Ben Koetter
    ... Where do you keep this users credentials? Disable the auth account. ... -- All technical questions asked privately will be automatically answered on the
    Message 1 of 10 , Sep 2, 2010
    • 0 Attachment
      * Julian Cowley <julian@...>:
      > Hello,
      >
      > I would like to block a particular user who is authenticated using
      > SASL from sending mail. Is there a way to do this?

      Where do you keep this users credentials? Disable the auth account.

      > I found one way to do it, but it is not perfect. I can block the
      > the email address of that user (the one they normally use) using
      > smtpd_sender_login_maps. This doesn't prevent them from using another
      > email address, however.
      >
      > smtpd_recipient_restrictions =
      > ...
      > reject_sender_login_mismatch
      > ...
      >
      > smtpd_sender_login_maps = regexp:/path/sender_login_map
      >
      > sender_login_map:
      >
      > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
      >
      > The unmatchable string is because I want the entry to exist for that
      > email address, but I don't want to list any string that could be
      > matched as a SASL username.
      >
      > Is this the right approach or have I missed something entirely?

      --
      All technical questions asked privately will be automatically answered on the
      list and archived for public access unless privacy is explicitely required and
      justified.

      saslfinger (debugging SMTP AUTH):
      <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
    • Stefan Seidel
      On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley ... Why would you use _recipient_ restrictions to block a _sender_? ... It is a good
      Message 2 of 10 , Sep 2, 2010
      • 0 Attachment
        On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley <julian@...>
        wrote:
        > Hello,
        >
        > I would like to block a particular user who is authenticated using
        > SASL from sending mail. Is there a way to do this?
        >
        > I found one way to do it, but it is not perfect. I can block the
        > the email address of that user (the one they normally use) using
        > smtpd_sender_login_maps. This doesn't prevent them from using another
        > email address, however.
        >
        > smtpd_recipient_restrictions =
        Why would you use _recipient_ restrictions to block a _sender_?

        > ...
        > reject_sender_login_mismatch
        > ...
        >
        > smtpd_sender_login_maps = regexp:/path/sender_login_map
        >
        > sender_login_map:
        >
        > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
        >
        > Is this the right approach or have I missed something entirely?

        It is a good idea to use
        smtpd_sender_restrictions = ..., reject_sender_login_mismatch, ...
        anyway, so why don't you try to introduce that, and then you can just not
        assign any sender address to this particular user, e.g.

        sender_login_maps = hash:/etc/postfix/sender_permissions

        sender_permissions:
        @... validuser1
        @... validuser2

        -> then "unwanteduser" will not be able to send from either domain,
        because it's login name does not appear in any list of allowed accounts.

        Stefan
      • Bas Mevissen
        On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley ... (...) ... It appears to me that you have a social problem (and not a technical one). So maybe seek
        Message 3 of 10 , Sep 2, 2010
        • 0 Attachment
          On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley
          <julian@...> wrote:
          > Hello,
          >
          > I would like to block a particular user who is authenticated using
          > SASL from sending mail. Is there a way to do this?
          >
          (...)

          > Is this the right approach or have I missed something entirely?

          It appears to me that you have a social problem (and not a technical
          one). So maybe seek your solution in that direction.

          Regards,

          --
          Bas
        • Julian Cowley
          ... Yes thanks, that works. Unfortunately, on our system this also disables all other services for that user such as email reading and server logins. To fix
          Message 4 of 10 , Sep 2, 2010
          • 0 Attachment
            On Thu, 2 Sep 2010, Patrick Ben Koetter wrote:
            > * Julian Cowley <julian@...>:
            > > Hello,
            > >
            > > I would like to block a particular user who is authenticated using
            > > SASL from sending mail. Is there a way to do this?
            >
            > Where do you keep this users credentials? Disable the auth account.

            Yes thanks, that works. Unfortunately, on our system this also
            disables all other services for that user such as email reading and
            server logins. To fix this, I'd need to modify the authentication
            server outside of Postfix (namely Dovecot) to reject the user somehow.

            I was hoping that there was a way solely in Postfix that would allow
            me to reject mail for a SASL login at the MAIL FROM/RCPT TO stage
            rather than the authentication stage.

            At this point, I'll just reject the user's main email address using
            check_sender_access and REJECT, which is equivalent to all the crud
            I wrote up below and would allow me to customize the message.

            > > I found one way to do it, but it is not perfect. I can block the
            > > the email address of that user (the one they normally use) using
            > > smtpd_sender_login_maps. This doesn't prevent them from using another
            > > email address, however.
            > >
            > > smtpd_recipient_restrictions =
            > > ...
            > > reject_sender_login_mismatch
            > > ...
            > >
            > > smtpd_sender_login_maps = regexp:/path/sender_login_map
            > >
            > > sender_login_map:
            > >
            > > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
            > >
            > > The unmatchable string is because I want the entry to exist for that
            > > email address, but I don't want to list any string that could be
            > > matched as a SASL username.
            > >
            > > Is this the right approach or have I missed something entirely?
          • Patrick Ben Koetter
            ... Add an additional condition if you use SQL or LDAP, something alone the lines of ... AND active= TRUE to your query. ... Clients AUTH first and then
            Message 5 of 10 , Sep 2, 2010
            • 0 Attachment
              * Julian Cowley <julian@...>:
              > On Thu, 2 Sep 2010, Patrick Ben Koetter wrote:
              > > * Julian Cowley <julian@...>:
              > > > Hello,
              > > >
              > > > I would like to block a particular user who is authenticated using
              > > > SASL from sending mail. Is there a way to do this?
              > >
              > > Where do you keep this users credentials? Disable the auth account.
              >
              > Yes thanks, that works. Unfortunately, on our system this also
              > disables all other services for that user such as email reading and
              > server logins. To fix this, I'd need to modify the authentication
              > server outside of Postfix (namely Dovecot) to reject the user somehow.

              Add an additional condition if you use SQL or LDAP, something alone the lines
              of "... AND active='TRUE'" to your query.


              > I was hoping that there was a way solely in Postfix that would allow
              > me to reject mail for a SASL login at the MAIL FROM/RCPT TO stage
              > rather than the authentication stage.

              Clients AUTH first and then they start a regular SMTP session. At least the
              ones I know...

              Why not disable AUTH in the persons client?

              p@rick


              > At this point, I'll just reject the user's main email address using
              > check_sender_access and REJECT, which is equivalent to all the crud
              > I wrote up below and would allow me to customize the message.
              >
              > > > I found one way to do it, but it is not perfect. I can block the
              > > > the email address of that user (the one they normally use) using
              > > > smtpd_sender_login_maps. This doesn't prevent them from using another
              > > > email address, however.
              > > >
              > > > smtpd_recipient_restrictions =
              > > > ...
              > > > reject_sender_login_mismatch
              > > > ...
              > > >
              > > > smtpd_sender_login_maps = regexp:/path/sender_login_map
              > > >
              > > > sender_login_map:
              > > >
              > > > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
              > > >
              > > > The unmatchable string is because I want the entry to exist for that
              > > > email address, but I don't want to list any string that could be
              > > > matched as a SASL username.
              > > >
              > > > Is this the right approach or have I missed something entirely?

              --
              All technical questions asked privately will be automatically answered on the
              list and archived for public access unless privacy is explicitely required and
              justified.

              saslfinger (debugging SMTP AUTH):
              <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
            • Julian Cowley
              ... Habit, mostly. If smtpd_delay_reject is true, which is the default, then it doesn t really matter which list you put the restrictions in. It s pretty
              Message 6 of 10 , Sep 2, 2010
              • 0 Attachment
                On Thu, 2 Sep 2010, Stefan Seidel wrote:

                > On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley <julian@...>
                > wrote:
                > > Hello,
                > >
                > > I would like to block a particular user who is authenticated using
                > > SASL from sending mail. Is there a way to do this?
                > >
                > > I found one way to do it, but it is not perfect. I can block the
                > > the email address of that user (the one they normally use) using
                > > smtpd_sender_login_maps. This doesn't prevent them from using another
                > > email address, however.
                > >
                > > smtpd_recipient_restrictions =
                > Why would you use _recipient_ restrictions to block a _sender_?

                Habit, mostly. If smtpd_delay_reject is true, which is the
                default, then it doesn't really matter which list you put the
                restrictions in. It's pretty common to put all of the restrictions
                into smtpd_recipient_restrictions so that all of the restrictions
                are in one list where they are easier to find.

                > > ...
                > > reject_sender_login_mismatch
                > > ...
                > >
                > > smtpd_sender_login_maps = regexp:/path/sender_login_map
                > >
                > > sender_login_map:
                > >
                > > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
                > >
                > > Is this the right approach or have I missed something entirely?
                >
                > It is a good idea to use
                > smtpd_sender_restrictions = ..., reject_sender_login_mismatch, ...
                > anyway, so why don't you try to introduce that, and then you can just not
                > assign any sender address to this particular user, e.g.
                >
                > sender_login_maps = hash:/etc/postfix/sender_permissions
                >
                > sender_permissions:
                > @... validuser1
                > @... validuser2

                That certainly works, but not for my situation. All of my valid users
                are under one domain (mostly), so it wouldn't scale to list all of the
                users except one on the right-hand side.

                > -> then "unwanteduser" will not be able to send from either domain,
                > because it's login name does not appear in any list of allowed accounts.

                Seems like there ought to be an easier way, but I'm not sure Postfix has
                it yet. For now I'm using a workaround.

                > Stefan
              • mouss
                ... it is ok to do that. smtpd_mumble_restrictions correspond to stages, not to input fields. putting most of the checks under smtpd_recipient_restrictions is
                Message 7 of 10 , Sep 2, 2010
                • 0 Attachment
                  Le 02/09/2010 09:55, Stefan Seidel a écrit :
                  > On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley<julian@...>
                  > wrote:
                  >> Hello,
                  >>
                  >> I would like to block a particular user who is authenticated using
                  >> SASL from sending mail. Is there a way to do this?
                  >>
                  >> I found one way to do it, but it is not perfect. I can block the
                  >> the email address of that user (the one they normally use) using
                  >> smtpd_sender_login_maps. This doesn't prevent them from using another
                  >> email address, however.
                  >>
                  >> smtpd_recipient_restrictions =
                  > Why would you use _recipient_ restrictions to block a _sender_?
                  >

                  it is ok to do that. smtpd_mumble_restrictions correspond to stages, not
                  to input fields. putting most of the checks under
                  smtpd_recipient_restrictions is a common approach, because you have an
                  ordered linear list. (I am assuming smtpd_delay_reject=yes).
                  [snip]
                • Noel Jones
                  ... Nitpick: You don t need smtpd_delay_reject=yes to use sender checks under smtpd_recipient_restrictions; the sender will always be available at that time.
                  Message 8 of 10 , Sep 2, 2010
                  • 0 Attachment
                    On 9/2/2010 4:51 PM, mouss wrote:
                    > Le 02/09/2010 09:55, Stefan Seidel a écrit :
                    >> On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian
                    >> Cowley<julian@...>
                    >>> smtpd_recipient_restrictions =
                    >> Why would you use _recipient_ restrictions to block a _sender_?
                    >>
                    >
                    > it is ok to do that. smtpd_mumble_restrictions correspond to
                    > stages, not to input fields. putting most of the checks under
                    > smtpd_recipient_restrictions is a common approach, because you
                    > have an ordered linear list. (I am assuming
                    > smtpd_delay_reject=yes).
                    > [snip]

                    Nitpick:

                    You don't need smtpd_delay_reject=yes to use sender checks
                    under smtpd_recipient_restrictions; the sender will always be
                    available at that time.

                    You do need smtpd_delay_reject=yes when you want to use
                    restrictions "out of order", ie. use smtpd_sender_restrictions
                    for recipient checks.

                    And yes, it is common and acceptable practice to put all
                    restrictions under smtpd_recipient_restrictions.

                    -- Noel Jones
                  • Stan Hoeppner
                    ... Not only common, but as I discovered the hard way, it s very difficult, nearly impossible, to manage some white listing scenarios if you don t put all
                    Message 9 of 10 , Sep 2, 2010
                    • 0 Attachment
                      Noel Jones put forth on 9/2/2010 5:37 PM:

                      > And yes, it is common and acceptable practice to put all restrictions
                      > under smtpd_recipient_restrictions.

                      Not only common, but as I discovered the hard way, it's very difficult,
                      nearly impossible, to manage some white listing scenarios if you don't
                      put all restrictions under smtpd_recipient_restrictions. It's logically
                      and logistically very difficult to do this using the 4 separate
                      restrictions sections.

                      IIRC, many moons ago, Noel was the OP who guided me through that, and
                      was a big help. Thanks again Noel.

                      --
                      Stan
                    Your message has been successfully submitted and would be delivered to recipients shortly.