 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev-Msg | Prev-Thread | Postfix-users | Jan-2008 | Next-Thread | Next-Msg |
| Subject: | Re: How to enforce users send email with the real from address [SOLVED] |
| Group: | Postfix-users |
| From: | AlxFrag |
| Date: | 16 Jan 2008 |
> AlxFrag wrote:
>> mouss wrote:
>>> AlxFrag wrote:
>>>> mouss wrote:
>>>>> AlxFrag wrote:
>>>>>> mouss wrote:
>>>>>>> AlxFrag wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> i'd like to ask if it is possible to enforce the limitation
>>>>>>>> described in the following example:
>>>>>>>>
>>>>>>>> one of my users logs in as myuser@mydomain. He can send emails
>>>>>>>> through my mail server using any "from address" he wants.
>>>>>>>> Can i force him to use only the "myuser@mydomain" as from
>>>>>>>> address in order to be able to send emails through my smtp server?
>>>>>>>
>>>>>>> you need to use authentication and:
>>>>>>>
>>>>>>> http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
>>>>>>> http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
>>>>>> Thanks for your reply.
>>>>>>
>>>>>> In main.cf i've put:
>>>>>> *******************
>>>>>> smtpd_sender_restrictions=check_sender_access
>>>>>> hash:/etc/postfix/block_senders, hash:/etc/postfix/my_domains
>>>>>>
>>>>>> smtpd_sender_login_maps=ldap:/etc/postfix/local_recipients.cf
>>>>>>
>>>>>> smtpd_restriction_classes=verify_login
>>>>>>
>>>>>> verify_login=reject_sender_login_mismatch
>>>>>> *******************
>>>>>>
>>>>>> In my_domains:
>>>>>>
>>>>>> mydomain1 verify_login
>>>>>> mydomain2 verify_login
>>>>>>
>>>>>> Using this configuration, user1@mydomain1 cannot pretend he is
>>>>>> user2@mydomain1 or he is anyuser@mydomain1 or anyuser@mydomain2.
>>>>>>
>>>>>> The problem is that he can pretend he is anyuser@any_other_domain.
>>>>>
>>>>> Then why use the restriction class...
>>>>>
>>>>> smtpd_sender_login_maps = ldap:/etc/postfix/local_recipients.cf
>>>>> smtpd_sende_restrictions = reject_sender_login_mismatch
>>>>>
>>>> ok,
>>>>
>>>> i've now removed the restriction class and myser@domain1 cannot
>>>> pretend he is anyuser@any_other_domain but,
>>>>
>>>> my users cannot receive emails from other domains.
>>>>
>>>> Postfix logs show:
>>>>
>>>> Jan 15 14:13:17 posidon postfix/smtpd[4765]: NOQUEUE: reject: RCPT
>>>> from foreign_domain[foreign_ip]: 553 5.7.1
>>>> <foreign_user@foreign_domain>: Sender address rejected: not logged
>>>> in; from=<foreign_user@foreign_domain> to=<myuser@mydomain>
>>>> proto=ESMTP helo=<foreign_domain]
>>>>
>>>
>>> you'll need to describe your setup and site policy more precisely.
>>> what should be allowed and what should be denied, from where and
>>> whom, to where...
>>>
>>> You can use
>>> reject_authenticated_sender_login_mismatch.
>>> to only check the sender login maps for authenticated users
>>>
>>> You can apply the reject_sender_login_mismatch if the client is in
>>> your networks (check_client_access)
>>>
>>> You can deny relay if the sender is not in your domain
>>> (check_sender_access).
>>>
>>> ... etc.
>>>
>>>
>> reject_authenticated_sender_login_mismatch seems to work now.
>
> but they can send with whatever address if they are not authenticated.
> so you should not enable relay without auth.
>
>>
>> The policy of the mail server is to relay authenticated users whose
>> "from address" is their real "from address" stored in the ldap backend.
>>
>> Thanks a lot!
>>
>> Alex
>>
>
i'm using cyrus-sasl
| Prev-Msg | Prev-Thread | Postfix-users | Jan-2008 | Next-Thread | Next-Msg |