Loading ...
Sorry, an error occurred while loading the content.

reject empty sender address for authenticated users

Expand Messages
  • Piotr Rotter
    Hello, Can I set postfix to reject empty sender address for authenticated users. I want to disallow this: 235 2.7.0 Authentication successful MAIL FROM: 250
    Message 1 of 9 , Feb 25, 2013
    • 0 Attachment
      Hello,

      Can I set postfix to reject empty sender address for authenticated users.

      I want to disallow this:

      235 2.7.0 Authentication successful
      MAIL FROM: <>
      250 2.1.0 Ok
    • Wietse Venema
      ... What problem are you trying to solve? If it is an infected PC, I suggest a combination of content filtering and rate limiting, instead of relying on ad-hoc
      Message 2 of 9 , Feb 25, 2013
      • 0 Attachment
        Piotr Rotter:
        > Hello,
        >
        > Can I set postfix to reject empty sender address for authenticated users.
        >
        > I want to disallow this:
        >
        > 235 2.7.0 Authentication successful
        > MAIL FROM: <>
        > 250 2.1.0 Ok

        What problem are you trying to solve? If it is an infected PC, I
        suggest a combination of content filtering and rate limiting, instead
        of relying on ad-hoc syntax tricks.

        Wietse
      • Piotr Rotter
        ... Thank you for fast answer, I want to disallow this because is rarely (probably poor mail clients) and make more difficult to automatic parsing amavis logs
        Message 3 of 9 , Feb 25, 2013
        • 0 Attachment
          W dniu 26.02.2013 01:56, Wietse Venema pisze:
          > Piotr Rotter:
          >> Hello,
          >>
          >> Can I set postfix to reject empty sender address for authenticated users.
          >>
          >> I want to disallow this:
          >>
          >> 235 2.7.0 Authentication successful
          >> MAIL FROM: <>
          >> 250 2.1.0 Ok
          >
          > What problem are you trying to solve? If it is an infected PC, I
          > suggest a combination of content filtering and rate limiting, instead
          > of relying on ad-hoc syntax tricks.
          >
          > Wietse
          >

          Thank you for fast answer,

          I want to disallow this because is rarely (probably poor mail clients)
          and make more difficult to automatic parsing amavis logs like this

          2013-02-25T04:29:47+01:00 kurier4 amavis[20204]: (20204-10) Passed
          CLEAN, <> -> <uset@...>, Hits: -2.56, tag=-999, tag2=5, kill=10,
          queued_as: 3ZDpYl5C4Tz7Cm, L/Y/0/0

          But if it needs some tricks, not worth.

          --
          Pozdrawiam! / Best regards!
          ------------------
          Piotr Rotter
          Konsultant IT / IT Consultant
          ===========================================
          http://www.ACTIVE24.pl - Powerful hosting - surprisingly easy
          ===========================================
          ul. Barkocińska 6, 03-543 Warszawa PL
          Email: bok@...
          Tel: +48 22 423 33 22
          GSM: +48 503 10 40 50
          Skype: active24pl
        • Wietse Venema
          ... You could use reject_authenticated_sender_login_mismatch and require that authenticated users use their own email address. Wietse
          Message 4 of 9 , Feb 25, 2013
          • 0 Attachment
            Piotr Rotter:
            > W dniu 26.02.2013 01:56, Wietse Venema pisze:
            > > Piotr Rotter:
            > >> Hello,
            > >>
            > >> Can I set postfix to reject empty sender address for authenticated users.
            > >>
            > >> I want to disallow this:
            > >>
            > >> 235 2.7.0 Authentication successful
            > >> MAIL FROM: <>
            > >> 250 2.1.0 Ok

            You could use reject_authenticated_sender_login_mismatch and require
            that authenticated users use their own email address.

            Wietse
          • Viktor Dukhovni
            ... This breaks your service for all users who want to operate an MTA (say Postfix on their home machine) that uses your system as a relay. With the
            Message 5 of 9 , Feb 25, 2013
            • 0 Attachment
              On Tue, Feb 26, 2013 at 01:50:34AM +0100, Piotr Rotter wrote:

              > Can I set postfix to reject empty sender address for authenticated users.
              >
              > I want to disallow this:
              >
              > 235 2.7.0 Authentication successful
              > MAIL FROM: <>
              > 250 2.1.0 Ok

              This breaks your service for all users who want to operate an MTA
              (say Postfix on their home machine) that uses your system as a
              relay. With the null-sender "<>" blocked, they can no longer send
              bounces.

              Do you in fact mean to discontinue your service for MTAs? If so,
              you can do so along lines Wietse suggested. Otherwise, you may need
              to reconsider your options.

              --
              Viktor.
            • Piotr Rotter
              ... Hello, Thanks for advise, but I already use reject_authenticated_sender_login_mismatch with smtpd_sender_login_maps query: SELECT email FROM postfix_users
              Message 6 of 9 , Feb 26, 2013
              • 0 Attachment
                W dniu 26.02.2013 02:27, Wietse Venema pisze:
                > Piotr Rotter:
                >> W dniu 26.02.2013 01:56, Wietse Venema pisze:
                >>> Piotr Rotter:
                >>>> Hello,
                >>>>
                >>>> Can I set postfix to reject empty sender address for authenticated users.
                >>>>
                >>>> I want to disallow this:
                >>>>
                >>>> 235 2.7.0 Authentication successful
                >>>> MAIL FROM: <>
                >>>> 250 2.1.0 Ok
                >
                > You could use reject_authenticated_sender_login_mismatch and require
                > that authenticated users use their own email address.
                >
                > Wietse
                >

                Hello,

                Thanks for advise, but I already use
                reject_authenticated_sender_login_mismatch with smtpd_sender_login_maps
                query:

                SELECT email FROM postfix_users WHERE email=CONVERT('%s' USING latin1)
                UNION SELECT destination FROM postfix_virtual WHERE email=CONVERT('%s'
                USING latin1) AND ( type = 'alias' OR type = 'mismatch' );

                But still empty sender adress for authenticated users are possible. My
                restrictions on submission look like that:

                -o smtpd_helo_restrictions=
                -o smtpd_client_restrictions=
                -o smtpd_sender_restrictions=
                -o
                smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,reject_authenticated_sender_login_mismatch,permit_sasl_authenticated,$REJECT_NOAUTH,reject

                X_ORIGINAL=check_recipient_access pcre:/etc/postfix/x-original.pcre

                /etc/postfix/x-original.pcre :

                /.*/ 550 Wymagana autoryzacja/Authorization required
              • Bastian Blank
                ... Null-sender must be accepted. There are several occasions where a MUA may send them, for example DSN mandates its usage sometimes. ... Bastian -- Peace was
                Message 7 of 9 , Feb 26, 2013
                • 0 Attachment
                  On Tue, Feb 26, 2013 at 01:50:34AM +0100, Piotr Rotter wrote:
                  > Can I set postfix to reject empty sender address for authenticated users.

                  Null-sender must be accepted. There are several occasions where a MUA
                  may send them, for example DSN mandates its usage sometimes.

                  RFC 6409 specifies:
                  | Note that a null return path, that is, MAIL FROM:<>, is permitted and
                  | MUST NOT, in itself, be cause for rejecting a message. (MUAs need to
                  | generate null return-path messages for a variety of reasons, including
                  | disposition notifications.)

                  Bastian

                  --
                  Peace was the way.
                  -- Kirk, "The City on the Edge of Forever", stardate unknown
                • Viktor Dukhovni
                  ... IIRCDSN is only for MTAs, MUAs do MDN, which does not mandate null sender addresses. Rather, MDN replies don t elicit further MDN replies. -- Viktor.
                  Message 8 of 9 , Feb 26, 2013
                  • 0 Attachment
                    On Tue, Feb 26, 2013 at 05:43:45PM +0100, Bastian Blank wrote:

                    > On Tue, Feb 26, 2013 at 01:50:34AM +0100, Piotr Rotter wrote:
                    > > Can I set postfix to reject empty sender address for authenticated users.
                    >
                    > Null-sender must be accepted. There are several occasions where a MUA
                    > may send them, for example DSN mandates its usage sometimes.

                    IIRCDSN is only for MTAs, MUAs do MDN, which does not mandate null
                    sender addresses. Rather, MDN replies don't elicit further MDN
                    replies.

                    --
                    Viktor.
                  • Ralf Hildebrandt
                    ... Please be aware that these might be: * out of office messages * read notifications -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße
                    Message 9 of 9 , Feb 27, 2013
                    • 0 Attachment
                      * Piotr Rotter <piotr.rotter@...>:

                      > I want to disallow this because is rarely (probably poor mail
                      > clients) and make more difficult to automatic parsing amavis logs
                      > like this
                      >
                      > 2013-02-25T04:29:47+01:00 kurier4 amavis[20204]: (20204-10) Passed
                      > CLEAN, <> -> <uset@...>, Hits: -2.56, tag=-999, tag2=5,
                      > kill=10, queued_as: 3ZDpYl5C4Tz7Cm, L/Y/0/0

                      Please be aware that these might be:
                      * out of office messages
                      * read notifications

                      --
                      [*] sys4 AG

                      http://sys4.de, +49 (89) 30 90 46 64
                      Franziskanerstraße 15, 81669 München

                      Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                      Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
                      Aufsichtsratsvorsitzender: Joerg Heidrich
                    Your message has been successfully submitted and would be delivered to recipients shortly.