 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev-Msg | Prev-Thread | Postfix-users | May-2007 | Next-Thread | Next-Msg |
| Subject: | Re: Double restrictions for SMTP Authen question ? |
| Group: | Postfix-users |
| From: | Victor Duchovni |
| Date: | 30 May 2007 |
> It is correct. But it need login/password even recipient is in LAN.
>
No, internal recipients are allowed by permit_auth_destination, and
are not rejected by reject_unauth_destination, so in both sender
and recipient restrictions they get through without SASL.
> Victor Duchovni wrote:
> >On Wed, May 30, 2007 at 01:23:24PM +0700, Truong Tan Son wrote:
> >
> >>if (client_ip in LAN) then
> >> if (sender in SASL_user) then
> >> if (to_recipient in Internet) then
> >> if (sender in permit_sender) then
> >> ok
> >
> > ??? Authenticated user or sender address ???
> Authenticated sender address (MAIL FROM:)
> >
> >> else
> >> reject
> >> fi
> else
> if (to_recipient in LAN) then
> ok
> >> fi
> > else
> > ??? What if sender is not SASL authenticated ???
> reject
> >> fi
> > else
> > ??? What if the client IP is not on your LAN ???
> permit some ip_MTA of related subdomains.
>
> >>fi
> >
> >Sounds like you want to limit access to to outbound email to authenticated
> >users on your LAN who submit directly to your outbound submission service,
> >and specifically to a subset of those users who are listed in some access
> >table. This is possible, but slightly indirectly:
> >
> > smtpd_sender_login_maps = hash:/etc/postfix/sender_login
> >
> > smtpd_sender_restrictions =
> > # Only filter outbound mail
> > permit_auth_destination,
> > # Reject remote clients
> > check_client_access cidr:/etc/postfix/reject_remote.cidr,
> > # Enforce sender<->login consistency
> > reject_sender_login_mismatch,
> > # Apply sender address ACL
> > check_sender_access hash:/etc/postfix/sender_out_acl,
> > # Reject if not whitelisted above
> > reject
> >
> > smtpd_recipient_restrictions =
> ># Outbound relay requires SASL
> > permit_sasl_authenticated,
> ># Everything else must be inbound
> >reject_unauth_destination,
> ># UCE controls.
> >
> >sender_login:
> > joe joelogin
> > ...
> >
> >reject_remote.cidr:
> > 192.0.2.0/24 DUNNO May relay if authenticated ...
> > 0.0.0.0/0 REJECT Relay access denied
> >
> >
> >sender_out_acl:
> > joe OK to relay from LAN when authenticated as joelogin
> >
> >
> >--
> >Viktor.
> >
> >Disclaimer: off-list followups get on-list replies or get ignored.
> >Please do not ignore the "Reply-To" header.
> >
> >To unsubscribe from the postfix-users list, visit
> >http://www.postfix.org/lists.html or click the link below:
> ><mailto:majordomo?body=unsubscribe%20postfix-users>
> >
> >If my response solves your problem, the best way to thank me is to not
> >send an "it worked, thanks" follow-up. If you must respond, please put
> >"It worked, thanks" in the "Subject" so I can delete these quickly.
>
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
| Prev-Msg | Prev-Thread | Postfix-users | May-2007 | Next-Thread | Next-Msg |