Loading ...
Sorry, an error occurred while loading the content.

Re: Blocking a particular authenticated user

Expand Messages
  • Bas Mevissen
    On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley ... (...) ... It appears to me that you have a social problem (and not a technical one). So maybe seek
    Message 1 of 10 , Sep 2, 2010
    • 0 Attachment
      On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley
      <julian@...> wrote:
      > Hello,
      >
      > I would like to block a particular user who is authenticated using
      > SASL from sending mail. Is there a way to do this?
      >
      (...)

      > Is this the right approach or have I missed something entirely?

      It appears to me that you have a social problem (and not a technical
      one). So maybe seek your solution in that direction.

      Regards,

      --
      Bas
    • Julian Cowley
      ... Yes thanks, that works. Unfortunately, on our system this also disables all other services for that user such as email reading and server logins. To fix
      Message 2 of 10 , Sep 2, 2010
      • 0 Attachment
        On Thu, 2 Sep 2010, Patrick Ben Koetter wrote:
        > * Julian Cowley <julian@...>:
        > > Hello,
        > >
        > > I would like to block a particular user who is authenticated using
        > > SASL from sending mail. Is there a way to do this?
        >
        > Where do you keep this users credentials? Disable the auth account.

        Yes thanks, that works. Unfortunately, on our system this also
        disables all other services for that user such as email reading and
        server logins. To fix this, I'd need to modify the authentication
        server outside of Postfix (namely Dovecot) to reject the user somehow.

        I was hoping that there was a way solely in Postfix that would allow
        me to reject mail for a SASL login at the MAIL FROM/RCPT TO stage
        rather than the authentication stage.

        At this point, I'll just reject the user's main email address using
        check_sender_access and REJECT, which is equivalent to all the crud
        I wrote up below and would allow me to customize the message.

        > > I found one way to do it, but it is not perfect. I can block the
        > > the email address of that user (the one they normally use) using
        > > smtpd_sender_login_maps. This doesn't prevent them from using another
        > > email address, however.
        > >
        > > smtpd_recipient_restrictions =
        > > ...
        > > reject_sender_login_mismatch
        > > ...
        > >
        > > smtpd_sender_login_maps = regexp:/path/sender_login_map
        > >
        > > sender_login_map:
        > >
        > > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
        > >
        > > The unmatchable string is because I want the entry to exist for that
        > > email address, but I don't want to list any string that could be
        > > matched as a SASL username.
        > >
        > > Is this the right approach or have I missed something entirely?
      • Patrick Ben Koetter
        ... Add an additional condition if you use SQL or LDAP, something alone the lines of ... AND active= TRUE to your query. ... Clients AUTH first and then
        Message 3 of 10 , Sep 2, 2010
        • 0 Attachment
          * Julian Cowley <julian@...>:
          > On Thu, 2 Sep 2010, Patrick Ben Koetter wrote:
          > > * Julian Cowley <julian@...>:
          > > > Hello,
          > > >
          > > > I would like to block a particular user who is authenticated using
          > > > SASL from sending mail. Is there a way to do this?
          > >
          > > Where do you keep this users credentials? Disable the auth account.
          >
          > Yes thanks, that works. Unfortunately, on our system this also
          > disables all other services for that user such as email reading and
          > server logins. To fix this, I'd need to modify the authentication
          > server outside of Postfix (namely Dovecot) to reject the user somehow.

          Add an additional condition if you use SQL or LDAP, something alone the lines
          of "... AND active='TRUE'" to your query.


          > I was hoping that there was a way solely in Postfix that would allow
          > me to reject mail for a SASL login at the MAIL FROM/RCPT TO stage
          > rather than the authentication stage.

          Clients AUTH first and then they start a regular SMTP session. At least the
          ones I know...

          Why not disable AUTH in the persons client?

          p@rick


          > At this point, I'll just reject the user's main email address using
          > check_sender_access and REJECT, which is equivalent to all the crud
          > I wrote up below and would allow me to customize the message.
          >
          > > > I found one way to do it, but it is not perfect. I can block the
          > > > the email address of that user (the one they normally use) using
          > > > smtpd_sender_login_maps. This doesn't prevent them from using another
          > > > email address, however.
          > > >
          > > > smtpd_recipient_restrictions =
          > > > ...
          > > > reject_sender_login_mismatch
          > > > ...
          > > >
          > > > smtpd_sender_login_maps = regexp:/path/sender_login_map
          > > >
          > > > sender_login_map:
          > > >
          > > > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
          > > >
          > > > The unmatchable string is because I want the entry to exist for that
          > > > email address, but I don't want to list any string that could be
          > > > matched as a SASL username.
          > > >
          > > > Is this the right approach or have I missed something entirely?

          --
          All technical questions asked privately will be automatically answered on the
          list and archived for public access unless privacy is explicitely required and
          justified.

          saslfinger (debugging SMTP AUTH):
          <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
        • Julian Cowley
          ... Habit, mostly. If smtpd_delay_reject is true, which is the default, then it doesn t really matter which list you put the restrictions in. It s pretty
          Message 4 of 10 , Sep 2, 2010
          • 0 Attachment
            On Thu, 2 Sep 2010, Stefan Seidel wrote:

            > On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley <julian@...>
            > wrote:
            > > Hello,
            > >
            > > I would like to block a particular user who is authenticated using
            > > SASL from sending mail. Is there a way to do this?
            > >
            > > I found one way to do it, but it is not perfect. I can block the
            > > the email address of that user (the one they normally use) using
            > > smtpd_sender_login_maps. This doesn't prevent them from using another
            > > email address, however.
            > >
            > > smtpd_recipient_restrictions =
            > Why would you use _recipient_ restrictions to block a _sender_?

            Habit, mostly. If smtpd_delay_reject is true, which is the
            default, then it doesn't really matter which list you put the
            restrictions in. It's pretty common to put all of the restrictions
            into smtpd_recipient_restrictions so that all of the restrictions
            are in one list where they are easier to find.

            > > ...
            > > reject_sender_login_mismatch
            > > ...
            > >
            > > smtpd_sender_login_maps = regexp:/path/sender_login_map
            > >
            > > sender_login_map:
            > >
            > > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
            > >
            > > Is this the right approach or have I missed something entirely?
            >
            > It is a good idea to use
            > smtpd_sender_restrictions = ..., reject_sender_login_mismatch, ...
            > anyway, so why don't you try to introduce that, and then you can just not
            > assign any sender address to this particular user, e.g.
            >
            > sender_login_maps = hash:/etc/postfix/sender_permissions
            >
            > sender_permissions:
            > @... validuser1
            > @... validuser2

            That certainly works, but not for my situation. All of my valid users
            are under one domain (mostly), so it wouldn't scale to list all of the
            users except one on the right-hand side.

            > -> then "unwanteduser" will not be able to send from either domain,
            > because it's login name does not appear in any list of allowed accounts.

            Seems like there ought to be an easier way, but I'm not sure Postfix has
            it yet. For now I'm using a workaround.

            > Stefan
          • mouss
            ... it is ok to do that. smtpd_mumble_restrictions correspond to stages, not to input fields. putting most of the checks under smtpd_recipient_restrictions is
            Message 5 of 10 , Sep 2, 2010
            • 0 Attachment
              Le 02/09/2010 09:55, Stefan Seidel a écrit :
              > On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley<julian@...>
              > wrote:
              >> Hello,
              >>
              >> I would like to block a particular user who is authenticated using
              >> SASL from sending mail. Is there a way to do this?
              >>
              >> I found one way to do it, but it is not perfect. I can block the
              >> the email address of that user (the one they normally use) using
              >> smtpd_sender_login_maps. This doesn't prevent them from using another
              >> email address, however.
              >>
              >> smtpd_recipient_restrictions =
              > Why would you use _recipient_ restrictions to block a _sender_?
              >

              it is ok to do that. smtpd_mumble_restrictions correspond to stages, not
              to input fields. putting most of the checks under
              smtpd_recipient_restrictions is a common approach, because you have an
              ordered linear list. (I am assuming smtpd_delay_reject=yes).
              [snip]
            • Noel Jones
              ... Nitpick: You don t need smtpd_delay_reject=yes to use sender checks under smtpd_recipient_restrictions; the sender will always be available at that time.
              Message 6 of 10 , Sep 2, 2010
              • 0 Attachment
                On 9/2/2010 4:51 PM, mouss wrote:
                > Le 02/09/2010 09:55, Stefan Seidel a écrit :
                >> On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian
                >> Cowley<julian@...>
                >>> smtpd_recipient_restrictions =
                >> Why would you use _recipient_ restrictions to block a _sender_?
                >>
                >
                > it is ok to do that. smtpd_mumble_restrictions correspond to
                > stages, not to input fields. putting most of the checks under
                > smtpd_recipient_restrictions is a common approach, because you
                > have an ordered linear list. (I am assuming
                > smtpd_delay_reject=yes).
                > [snip]

                Nitpick:

                You don't need smtpd_delay_reject=yes to use sender checks
                under smtpd_recipient_restrictions; the sender will always be
                available at that time.

                You do need smtpd_delay_reject=yes when you want to use
                restrictions "out of order", ie. use smtpd_sender_restrictions
                for recipient checks.

                And yes, it is common and acceptable practice to put all
                restrictions under smtpd_recipient_restrictions.

                -- Noel Jones
              • Stan Hoeppner
                ... Not only common, but as I discovered the hard way, it s very difficult, nearly impossible, to manage some white listing scenarios if you don t put all
                Message 7 of 10 , Sep 2, 2010
                • 0 Attachment
                  Noel Jones put forth on 9/2/2010 5:37 PM:

                  > And yes, it is common and acceptable practice to put all restrictions
                  > under smtpd_recipient_restrictions.

                  Not only common, but as I discovered the hard way, it's very difficult,
                  nearly impossible, to manage some white listing scenarios if you don't
                  put all restrictions under smtpd_recipient_restrictions. It's logically
                  and logistically very difficult to do this using the 4 separate
                  restrictions sections.

                  IIRC, many moons ago, Noel was the OP who guided me through that, and
                  was a big help. Thanks again Noel.

                  --
                  Stan
                Your message has been successfully submitted and would be delivered to recipients shortly.