Loading ...
Sorry, an error occurred while loading the content.
 

Re: smtpd_sender_restrictions some help needed

Expand Messages
  • Per olof Ljungmark
    ... Thank you for the tip. Then I have to figure out how to separate the two rulesets which I yet did not discover in the docs. Unfortunately we do have
    Message 1 of 6 , Mar 18, 2013
      On 2013-03-17 11:05, Ansgar Wiechers wrote:
      > On 2013-03-17 Per olof Ljungmark wrote:
      >> We've had a working configuration since a few years where we allow
      >> authenticated users to relay mail even if the sender address does not
      >> match a local user and the recipient is non-local.
      >>
      >> Now this is about to change.
      >>
      >> So, if the sender is *authenticated*:
      >>
      >> - from local-user@local-domain to nonlocal@: allowed
      >> - from nonlocal@ to local-user@local-domain: allowed obviously
      >> - from nonlocal@ to nonlocal@: disallowed
      >>
      >> Currently we have
      >>
      >> smtpd_sender_restrictions =
      >> hash:/usr/local/etc/postfix/access,
      >> permit_sasl_authenticated,
      >> permit_mynetworks,
      >> reject_unknown_sender_domain,
      >> reject_unauth_destination
      >>
      >> All local users are in a ldap table.
      >>
      >> Can we use for example "check_sender_access"
      >> and if the user is authenticated *and* the users email or alias matches
      >> MAIL FROM in the ldap lookup give it an OK?
      >>
      >> reject_sender_login_mismatch I guess is a possible candidate but then
      >> the problem is MUA's where the user has several incoming accounts but
      >> just one outgoing server configured and there are quite a few such.
      >>
      >> I'm still wading through the Postfix docs trying to get a grip on it but
      >> if someone already did it I would be very grateful for a piece of
      >> information... have to admit it feels a bit tricky.
      >
      > I'd recommend separating authenticated from unauthenticated submission.
      > Enable submission (port 587) with authentication required, and remove
      > permit_sasl_authenticated from the smtpd instance on port 25. For the
      > submission port you could enable reject_sender_login_mismatch to
      > restrict senders to their own sender address. If you want them to be
      > able to use arbitrary addresses for mail sent to local recipients,
      > but disallow non-local sender addresses for outbound mail, you'll
      > probably have to use a policy service.

      Thank you for the tip. Then I have to figure out how to separate the two
      rulesets which I yet did not discover in the docs.

      Unfortunately we do have clients still using port 465 for sending so not
      sure if it is even possible.

      No other way to achieve this?

      Thanks!
    • Wietse Venema
      ... Separate your mail streams: MTAs talk to port 25. MUAs talk to port 587 (465 if they are pre-historic). If that is not possible use DNS to separate the
      Message 2 of 6 , Mar 18, 2013
        Per olof Ljungmark:
        > > I'd recommend separating authenticated from unauthenticated submission.
        > > Enable submission (port 587) with authentication required, and remove
        > > permit_sasl_authenticated from the smtpd instance on port 25. For the
        > > submission port you could enable reject_sender_login_mismatch to
        > > restrict senders to their own sender address. If you want them to be
        > > able to use arbitrary addresses for mail sent to local recipients,
        > > but disallow non-local sender addresses for outbound mail, you'll
        > > probably have to use a policy service.
        >
        > Thank you for the tip. Then I have to figure out how to separate the two
        > rulesets which I yet did not discover in the docs.
        >
        > Unfortunately we do have clients still using port 465 for sending so not
        > sure if it is even possible.
        >
        > No other way to achieve this?

        Separate your mail streams:

        MTAs talk to port 25.

        MUAs talk to port 587 (465 if they are pre-historic).

        If that is not possible use DNS to separate the streams:

        MTAs use MX records. Use a separate IP address for MTA service.

        MUAs use A records. Use a separate IP address for MUA service.

        Or at least that's what is supposed to happen.

        Wietse
      • Per olof Ljungmark
        ... If we do not implement this case: (authenticated client assumed) - from nonlocal@ to local-user@local-domain Would reject_sender_login_mismatch do the
        Message 3 of 6 , Mar 18, 2013
          On 2013-03-18 12:07, Wietse Venema wrote:
          > Per olof Ljungmark:
          >>> I'd recommend separating authenticated from unauthenticated submission.
          >>> Enable submission (port 587) with authentication required, and remove
          >>> permit_sasl_authenticated from the smtpd instance on port 25. For the
          >>> submission port you could enable reject_sender_login_mismatch to
          >>> restrict senders to their own sender address. If you want them to be
          >>> able to use arbitrary addresses for mail sent to local recipients,
          >>> but disallow non-local sender addresses for outbound mail, you'll
          >>> probably have to use a policy service.
          >>
          >> Thank you for the tip. Then I have to figure out how to separate the two
          >> rulesets which I yet did not discover in the docs.
          >>
          >> Unfortunately we do have clients still using port 465 for sending so not
          >> sure if it is even possible.
          >>
          >> No other way to achieve this?
          >
          > Separate your mail streams:
          >
          > MTAs talk to port 25.
          >
          > MUAs talk to port 587 (465 if they are pre-historic).
          >
          > If that is not possible use DNS to separate the streams:
          >
          > MTAs use MX records. Use a separate IP address for MTA service.
          >
          > MUAs use A records. Use a separate IP address for MUA service.
          >
          > Or at least that's what is supposed to happen.
          >
          > Wietse
          >

          If we do not implement this case:
          (authenticated client assumed)
          - from nonlocal@ to local-user@local-domain

          Would "reject_sender_login_mismatch" do the job together with
          "smtpd_sender_login_maps"? Here we could match username with MAIL FROM:,
          at least as I understood from a quick read, although it must suffice
          that the domain part matches.

          Then we just have to fix multi-account MUA's to use different logins for
          different accounts.

          This rule does not have any impact on non-authenticated clients also.

          If this works I'm inclined to use this alternative instead.
        • Per olof Ljungmark
          ... although it must suffice that the domain part matches. Forget that part, I was thinking backwards...
          Message 4 of 6 , Mar 18, 2013
            On 2013-03-18 17:55, Per olof Ljungmark wrote:
            > On 2013-03-18 12:07, Wietse Venema wrote:
            >> Per olof Ljungmark:
            >>>> I'd recommend separating authenticated from unauthenticated submission.
            >>>> Enable submission (port 587) with authentication required, and remove
            >>>> permit_sasl_authenticated from the smtpd instance on port 25. For the
            >>>> submission port you could enable reject_sender_login_mismatch to
            >>>> restrict senders to their own sender address. If you want them to be
            >>>> able to use arbitrary addresses for mail sent to local recipients,
            >>>> but disallow non-local sender addresses for outbound mail, you'll
            >>>> probably have to use a policy service.
            >>>
            >>> Thank you for the tip. Then I have to figure out how to separate the two
            >>> rulesets which I yet did not discover in the docs.
            >>>
            >>> Unfortunately we do have clients still using port 465 for sending so not
            >>> sure if it is even possible.
            >>>
            >>> No other way to achieve this?
            >>
            >> Separate your mail streams:
            >>
            >> MTAs talk to port 25.
            >>
            >> MUAs talk to port 587 (465 if they are pre-historic).
            >>
            >> If that is not possible use DNS to separate the streams:
            >>
            >> MTAs use MX records. Use a separate IP address for MTA service.
            >>
            >> MUAs use A records. Use a separate IP address for MUA service.
            >>
            >> Or at least that's what is supposed to happen.
            >>
            >> Wietse
            >>
            >
            > If we do not implement this case:
            > (authenticated client assumed)
            > - from nonlocal@ to local-user@local-domain
            >
            > Would "reject_sender_login_mismatch" do the job together with
            > "smtpd_sender_login_maps"? Here we could match username with MAIL FROM:,
            > at least as I understood from a quick read, although it must suffice
            > that the domain part matches.

            "although it must suffice that the domain part matches."

            Forget that part, I was thinking backwards...

            > Then we just have to fix multi-account MUA's to use different logins for
            > different accounts.
            >
            > This rule does not have any impact on non-authenticated clients also.
            >
            > If this works I'm inclined to use this alternative instead.
            >
          Your message has been successfully submitted and would be delivered to recipients shortly.