Loading ...
Sorry, an error occurred while loading the content.

Re: reject empty sender address for authenticated users

Expand Messages
  • Wietse Venema
    ... You could use reject_authenticated_sender_login_mismatch and require that authenticated users use their own email address. Wietse
    Message 1 of 9 , Feb 25, 2013
    • 0 Attachment
      Piotr Rotter:
      > W dniu 26.02.2013 01:56, Wietse Venema pisze:
      > > Piotr Rotter:
      > >> Hello,
      > >>
      > >> Can I set postfix to reject empty sender address for authenticated users.
      > >>
      > >> I want to disallow this:
      > >>
      > >> 235 2.7.0 Authentication successful
      > >> MAIL FROM: <>
      > >> 250 2.1.0 Ok

      You could use reject_authenticated_sender_login_mismatch and require
      that authenticated users use their own email address.

      Wietse
    • Viktor Dukhovni
      ... This breaks your service for all users who want to operate an MTA (say Postfix on their home machine) that uses your system as a relay. With the
      Message 2 of 9 , Feb 25, 2013
      • 0 Attachment
        On Tue, Feb 26, 2013 at 01:50:34AM +0100, Piotr Rotter wrote:

        > Can I set postfix to reject empty sender address for authenticated users.
        >
        > I want to disallow this:
        >
        > 235 2.7.0 Authentication successful
        > MAIL FROM: <>
        > 250 2.1.0 Ok

        This breaks your service for all users who want to operate an MTA
        (say Postfix on their home machine) that uses your system as a
        relay. With the null-sender "<>" blocked, they can no longer send
        bounces.

        Do you in fact mean to discontinue your service for MTAs? If so,
        you can do so along lines Wietse suggested. Otherwise, you may need
        to reconsider your options.

        --
        Viktor.
      • Piotr Rotter
        ... Hello, Thanks for advise, but I already use reject_authenticated_sender_login_mismatch with smtpd_sender_login_maps query: SELECT email FROM postfix_users
        Message 3 of 9 , Feb 26, 2013
        • 0 Attachment
          W dniu 26.02.2013 02:27, Wietse Venema pisze:
          > Piotr Rotter:
          >> W dniu 26.02.2013 01:56, Wietse Venema pisze:
          >>> Piotr Rotter:
          >>>> Hello,
          >>>>
          >>>> Can I set postfix to reject empty sender address for authenticated users.
          >>>>
          >>>> I want to disallow this:
          >>>>
          >>>> 235 2.7.0 Authentication successful
          >>>> MAIL FROM: <>
          >>>> 250 2.1.0 Ok
          >
          > You could use reject_authenticated_sender_login_mismatch and require
          > that authenticated users use their own email address.
          >
          > Wietse
          >

          Hello,

          Thanks for advise, but I already use
          reject_authenticated_sender_login_mismatch with smtpd_sender_login_maps
          query:

          SELECT email FROM postfix_users WHERE email=CONVERT('%s' USING latin1)
          UNION SELECT destination FROM postfix_virtual WHERE email=CONVERT('%s'
          USING latin1) AND ( type = 'alias' OR type = 'mismatch' );

          But still empty sender adress for authenticated users are possible. My
          restrictions on submission look like that:

          -o smtpd_helo_restrictions=
          -o smtpd_client_restrictions=
          -o smtpd_sender_restrictions=
          -o
          smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,reject_authenticated_sender_login_mismatch,permit_sasl_authenticated,$REJECT_NOAUTH,reject

          X_ORIGINAL=check_recipient_access pcre:/etc/postfix/x-original.pcre

          /etc/postfix/x-original.pcre :

          /.*/ 550 Wymagana autoryzacja/Authorization required
        • Bastian Blank
          ... Null-sender must be accepted. There are several occasions where a MUA may send them, for example DSN mandates its usage sometimes. ... Bastian -- Peace was
          Message 4 of 9 , Feb 26, 2013
          • 0 Attachment
            On Tue, Feb 26, 2013 at 01:50:34AM +0100, Piotr Rotter wrote:
            > Can I set postfix to reject empty sender address for authenticated users.

            Null-sender must be accepted. There are several occasions where a MUA
            may send them, for example DSN mandates its usage sometimes.

            RFC 6409 specifies:
            | Note that a null return path, that is, MAIL FROM:<>, is permitted and
            | MUST NOT, in itself, be cause for rejecting a message. (MUAs need to
            | generate null return-path messages for a variety of reasons, including
            | disposition notifications.)

            Bastian

            --
            Peace was the way.
            -- Kirk, "The City on the Edge of Forever", stardate unknown
          • Viktor Dukhovni
            ... IIRCDSN is only for MTAs, MUAs do MDN, which does not mandate null sender addresses. Rather, MDN replies don t elicit further MDN replies. -- Viktor.
            Message 5 of 9 , Feb 26, 2013
            • 0 Attachment
              On Tue, Feb 26, 2013 at 05:43:45PM +0100, Bastian Blank wrote:

              > On Tue, Feb 26, 2013 at 01:50:34AM +0100, Piotr Rotter wrote:
              > > Can I set postfix to reject empty sender address for authenticated users.
              >
              > Null-sender must be accepted. There are several occasions where a MUA
              > may send them, for example DSN mandates its usage sometimes.

              IIRCDSN is only for MTAs, MUAs do MDN, which does not mandate null
              sender addresses. Rather, MDN replies don't elicit further MDN
              replies.

              --
              Viktor.
            • Ralf Hildebrandt
              ... Please be aware that these might be: * out of office messages * read notifications -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße
              Message 6 of 9 , Feb 27, 2013
              • 0 Attachment
                * Piotr Rotter <piotr.rotter@...>:

                > I want to disallow this because is rarely (probably poor mail
                > clients) and make more difficult to automatic parsing amavis logs
                > like this
                >
                > 2013-02-25T04:29:47+01:00 kurier4 amavis[20204]: (20204-10) Passed
                > CLEAN, <> -> <uset@...>, Hits: -2.56, tag=-999, tag2=5,
                > kill=10, queued_as: 3ZDpYl5C4Tz7Cm, L/Y/0/0

                Please be aware that these might be:
                * out of office messages
                * read notifications

                --
                [*] sys4 AG

                http://sys4.de, +49 (89) 30 90 46 64
                Franziskanerstraße 15, 81669 München

                Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
                Aufsichtsratsvorsitzender: Joerg Heidrich
              Your message has been successfully submitted and would be delivered to recipients shortly.