Loading ...
Sorry, an error occurred while loading the content.
 

Re: Blocking a particular authenticated user

Expand Messages
  • Stefan Seidel
    On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley ... Why would you use _recipient_ restrictions to block a _sender_? ... It is a good
    Message 1 of 10 , Sep 2, 2010
      On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley <julian@...>
      wrote:
      > Hello,
      >
      > I would like to block a particular user who is authenticated using
      > SASL from sending mail. Is there a way to do this?
      >
      > I found one way to do it, but it is not perfect. I can block the
      > the email address of that user (the one they normally use) using
      > smtpd_sender_login_maps. This doesn't prevent them from using another
      > email address, however.
      >
      > smtpd_recipient_restrictions =
      Why would you use _recipient_ restrictions to block a _sender_?

      > ...
      > reject_sender_login_mismatch
      > ...
      >
      > smtpd_sender_login_maps = regexp:/path/sender_login_map
      >
      > sender_login_map:
      >
      > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
      >
      > Is this the right approach or have I missed something entirely?

      It is a good idea to use
      smtpd_sender_restrictions = ..., reject_sender_login_mismatch, ...
      anyway, so why don't you try to introduce that, and then you can just not
      assign any sender address to this particular user, e.g.

      sender_login_maps = hash:/etc/postfix/sender_permissions

      sender_permissions:
      @... validuser1
      @... validuser2

      -> then "unwanteduser" will not be able to send from either domain,
      because it's login name does not appear in any list of allowed accounts.

      Stefan
    • Bas Mevissen
      On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley ... (...) ... It appears to me that you have a social problem (and not a technical one). So maybe seek
      Message 2 of 10 , Sep 2, 2010
        On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley
        <julian@...> wrote:
        > Hello,
        >
        > I would like to block a particular user who is authenticated using
        > SASL from sending mail. Is there a way to do this?
        >
        (...)

        > Is this the right approach or have I missed something entirely?

        It appears to me that you have a social problem (and not a technical
        one). So maybe seek your solution in that direction.

        Regards,

        --
        Bas
      • Julian Cowley
        ... Yes thanks, that works. Unfortunately, on our system this also disables all other services for that user such as email reading and server logins. To fix
        Message 3 of 10 , Sep 2, 2010
          On Thu, 2 Sep 2010, Patrick Ben Koetter wrote:
          > * Julian Cowley <julian@...>:
          > > Hello,
          > >
          > > I would like to block a particular user who is authenticated using
          > > SASL from sending mail. Is there a way to do this?
          >
          > Where do you keep this users credentials? Disable the auth account.

          Yes thanks, that works. Unfortunately, on our system this also
          disables all other services for that user such as email reading and
          server logins. To fix this, I'd need to modify the authentication
          server outside of Postfix (namely Dovecot) to reject the user somehow.

          I was hoping that there was a way solely in Postfix that would allow
          me to reject mail for a SASL login at the MAIL FROM/RCPT TO stage
          rather than the authentication stage.

          At this point, I'll just reject the user's main email address using
          check_sender_access and REJECT, which is equivalent to all the crud
          I wrote up below and would allow me to customize the message.

          > > I found one way to do it, but it is not perfect. I can block the
          > > the email address of that user (the one they normally use) using
          > > smtpd_sender_login_maps. This doesn't prevent them from using another
          > > email address, however.
          > >
          > > smtpd_recipient_restrictions =
          > > ...
          > > reject_sender_login_mismatch
          > > ...
          > >
          > > smtpd_sender_login_maps = regexp:/path/sender_login_map
          > >
          > > sender_login_map:
          > >
          > > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
          > >
          > > The unmatchable string is because I want the entry to exist for that
          > > email address, but I don't want to list any string that could be
          > > matched as a SASL username.
          > >
          > > Is this the right approach or have I missed something entirely?
        • Patrick Ben Koetter
          ... Add an additional condition if you use SQL or LDAP, something alone the lines of ... AND active= TRUE to your query. ... Clients AUTH first and then
          Message 4 of 10 , Sep 2, 2010
            * Julian Cowley <julian@...>:
            > On Thu, 2 Sep 2010, Patrick Ben Koetter wrote:
            > > * Julian Cowley <julian@...>:
            > > > Hello,
            > > >
            > > > I would like to block a particular user who is authenticated using
            > > > SASL from sending mail. Is there a way to do this?
            > >
            > > Where do you keep this users credentials? Disable the auth account.
            >
            > Yes thanks, that works. Unfortunately, on our system this also
            > disables all other services for that user such as email reading and
            > server logins. To fix this, I'd need to modify the authentication
            > server outside of Postfix (namely Dovecot) to reject the user somehow.

            Add an additional condition if you use SQL or LDAP, something alone the lines
            of "... AND active='TRUE'" to your query.


            > I was hoping that there was a way solely in Postfix that would allow
            > me to reject mail for a SASL login at the MAIL FROM/RCPT TO stage
            > rather than the authentication stage.

            Clients AUTH first and then they start a regular SMTP session. At least the
            ones I know...

            Why not disable AUTH in the persons client?

            p@rick


            > At this point, I'll just reject the user's main email address using
            > check_sender_access and REJECT, which is equivalent to all the crud
            > I wrote up below and would allow me to customize the message.
            >
            > > > I found one way to do it, but it is not perfect. I can block the
            > > > the email address of that user (the one they normally use) using
            > > > smtpd_sender_login_maps. This doesn't prevent them from using another
            > > > email address, however.
            > > >
            > > > smtpd_recipient_restrictions =
            > > > ...
            > > > reject_sender_login_mismatch
            > > > ...
            > > >
            > > > smtpd_sender_login_maps = regexp:/path/sender_login_map
            > > >
            > > > sender_login_map:
            > > >
            > > > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
            > > >
            > > > The unmatchable string is because I want the entry to exist for that
            > > > email address, but I don't want to list any string that could be
            > > > matched as a SASL username.
            > > >
            > > > Is this the right approach or have I missed something entirely?

            --
            All technical questions asked privately will be automatically answered on the
            list and archived for public access unless privacy is explicitely required and
            justified.

            saslfinger (debugging SMTP AUTH):
            <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
          • Julian Cowley
            ... Habit, mostly. If smtpd_delay_reject is true, which is the default, then it doesn t really matter which list you put the restrictions in. It s pretty
            Message 5 of 10 , Sep 2, 2010
              On Thu, 2 Sep 2010, Stefan Seidel wrote:

              > On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley <julian@...>
              > wrote:
              > > Hello,
              > >
              > > I would like to block a particular user who is authenticated using
              > > SASL from sending mail. Is there a way to do this?
              > >
              > > I found one way to do it, but it is not perfect. I can block the
              > > the email address of that user (the one they normally use) using
              > > smtpd_sender_login_maps. This doesn't prevent them from using another
              > > email address, however.
              > >
              > > smtpd_recipient_restrictions =
              > Why would you use _recipient_ restrictions to block a _sender_?

              Habit, mostly. If smtpd_delay_reject is true, which is the
              default, then it doesn't really matter which list you put the
              restrictions in. It's pretty common to put all of the restrictions
              into smtpd_recipient_restrictions so that all of the restrictions
              are in one list where they are easier to find.

              > > ...
              > > reject_sender_login_mismatch
              > > ...
              > >
              > > smtpd_sender_login_maps = regexp:/path/sender_login_map
              > >
              > > sender_login_map:
              > >
              > > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
              > >
              > > Is this the right approach or have I missed something entirely?
              >
              > It is a good idea to use
              > smtpd_sender_restrictions = ..., reject_sender_login_mismatch, ...
              > anyway, so why don't you try to introduce that, and then you can just not
              > assign any sender address to this particular user, e.g.
              >
              > sender_login_maps = hash:/etc/postfix/sender_permissions
              >
              > sender_permissions:
              > @... validuser1
              > @... validuser2

              That certainly works, but not for my situation. All of my valid users
              are under one domain (mostly), so it wouldn't scale to list all of the
              users except one on the right-hand side.

              > -> then "unwanteduser" will not be able to send from either domain,
              > because it's login name does not appear in any list of allowed accounts.

              Seems like there ought to be an easier way, but I'm not sure Postfix has
              it yet. For now I'm using a workaround.

              > Stefan
            • mouss
              ... it is ok to do that. smtpd_mumble_restrictions correspond to stages, not to input fields. putting most of the checks under smtpd_recipient_restrictions is
              Message 6 of 10 , Sep 2, 2010
                Le 02/09/2010 09:55, Stefan Seidel a écrit :
                > On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley<julian@...>
                > wrote:
                >> Hello,
                >>
                >> I would like to block a particular user who is authenticated using
                >> SASL from sending mail. Is there a way to do this?
                >>
                >> I found one way to do it, but it is not perfect. I can block the
                >> the email address of that user (the one they normally use) using
                >> smtpd_sender_login_maps. This doesn't prevent them from using another
                >> email address, however.
                >>
                >> smtpd_recipient_restrictions =
                > Why would you use _recipient_ restrictions to block a _sender_?
                >

                it is ok to do that. smtpd_mumble_restrictions correspond to stages, not
                to input fields. putting most of the checks under
                smtpd_recipient_restrictions is a common approach, because you have an
                ordered linear list. (I am assuming smtpd_delay_reject=yes).
                [snip]
              • Noel Jones
                ... Nitpick: You don t need smtpd_delay_reject=yes to use sender checks under smtpd_recipient_restrictions; the sender will always be available at that time.
                Message 7 of 10 , Sep 2, 2010
                  On 9/2/2010 4:51 PM, mouss wrote:
                  > Le 02/09/2010 09:55, Stefan Seidel a écrit :
                  >> On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian
                  >> Cowley<julian@...>
                  >>> smtpd_recipient_restrictions =
                  >> Why would you use _recipient_ restrictions to block a _sender_?
                  >>
                  >
                  > it is ok to do that. smtpd_mumble_restrictions correspond to
                  > stages, not to input fields. putting most of the checks under
                  > smtpd_recipient_restrictions is a common approach, because you
                  > have an ordered linear list. (I am assuming
                  > smtpd_delay_reject=yes).
                  > [snip]

                  Nitpick:

                  You don't need smtpd_delay_reject=yes to use sender checks
                  under smtpd_recipient_restrictions; the sender will always be
                  available at that time.

                  You do need smtpd_delay_reject=yes when you want to use
                  restrictions "out of order", ie. use smtpd_sender_restrictions
                  for recipient checks.

                  And yes, it is common and acceptable practice to put all
                  restrictions under smtpd_recipient_restrictions.

                  -- Noel Jones
                • Stan Hoeppner
                  ... Not only common, but as I discovered the hard way, it s very difficult, nearly impossible, to manage some white listing scenarios if you don t put all
                  Message 8 of 10 , Sep 2, 2010
                    Noel Jones put forth on 9/2/2010 5:37 PM:

                    > And yes, it is common and acceptable practice to put all restrictions
                    > under smtpd_recipient_restrictions.

                    Not only common, but as I discovered the hard way, it's very difficult,
                    nearly impossible, to manage some white listing scenarios if you don't
                    put all restrictions under smtpd_recipient_restrictions. It's logically
                    and logistically very difficult to do this using the 4 separate
                    restrictions sections.

                    IIRC, many moons ago, Noel was the OP who guided me through that, and
                    was a big help. Thanks again Noel.

                    --
                    Stan
                  Your message has been successfully submitted and would be delivered to recipients shortly.