Blocking a particular authenticated user

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Blocking a particular authenticated user

Julian Cowley
Hello,

I would like to block a particular user who is authenticated using
SASL from sending mail.  Is there a way to do this?

I found one way to do it, but it is not perfect.  I can block the
the email address of that user (the one they normally use) using
smtpd_sender_login_maps.  This doesn't prevent them from using another
email address, however.

smtpd_recipient_restrictions =
    ...
    reject_sender_login_mismatch
    ...

smtpd_sender_login_maps = regexp:/path/sender_login_map

sender_login_map:

/^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN

The unmatchable string is because I want the entry to exist for that
email address, but I don't want to list any string that could be
matched as a SASL username.

Is this the right approach or have I missed something entirely?
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a particular authenticated user

Patrick Ben Koetter
* Julian Cowley <[hidden email]>:
> Hello,
>
> I would like to block a particular user who is authenticated using
> SASL from sending mail.  Is there a way to do this?

Where do you keep this users credentials? Disable the auth account.

> I found one way to do it, but it is not perfect.  I can block the
> the email address of that user (the one they normally use) using
> smtpd_sender_login_maps.  This doesn't prevent them from using another
> email address, however.
>
> smtpd_recipient_restrictions =
>     ...
>     reject_sender_login_mismatch
>     ...
>
> smtpd_sender_login_maps = regexp:/path/sender_login_map
>
> sender_login_map:
>
> /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
>
> The unmatchable string is because I want the entry to exist for that
> email address, but I don't want to list any string that could be
> matched as a SASL username.
>
> Is this the right approach or have I missed something entirely?

--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a particular authenticated user

Stefan Seidel-2
In reply to this post by Julian Cowley
On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley <[hidden email]>
wrote:

> Hello,
>
> I would like to block a particular user who is authenticated using
> SASL from sending mail.  Is there a way to do this?
>
> I found one way to do it, but it is not perfect.  I can block the
> the email address of that user (the one they normally use) using
> smtpd_sender_login_maps.  This doesn't prevent them from using another
> email address, however.
>
> smtpd_recipient_restrictions =
Why would you use _recipient_ restrictions to block a _sender_?

>     ...
>     reject_sender_login_mismatch
>     ...
>
> smtpd_sender_login_maps = regexp:/path/sender_login_map
>
> sender_login_map:
>
> /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
>
> Is this the right approach or have I missed something entirely?

It is a good idea to use
   smtpd_sender_restrictions = ..., reject_sender_login_mismatch, ...
anyway, so why don't you try to introduce that, and then you can just not
assign any sender address to this particular user, e.g.

  sender_login_maps = hash:/etc/postfix/sender_permissions

sender_permissions:
@domain1.com validuser1
@domain2.com validuser2

-> then "unwanteduser" will not be able to send from either domain,
because it's login name does not appear in any list of allowed accounts.

Stefan
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a particular authenticated user

Bas Mevissen-4
In reply to this post by Julian Cowley
On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley
<[hidden email]> wrote:
> Hello,
>
> I would like to block a particular user who is authenticated using
> SASL from sending mail.  Is there a way to do this?
>
(...)

> Is this the right approach or have I missed something entirely?

It appears to me that you have a social problem (and not a technical
one). So maybe seek your solution in that direction.

Regards,

--
Bas
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a particular authenticated user

Julian Cowley
In reply to this post by Patrick Ben Koetter
On Thu, 2 Sep 2010, Patrick Ben Koetter wrote:
> * Julian Cowley <[hidden email]>:
> > Hello,
> >
> > I would like to block a particular user who is authenticated using
> > SASL from sending mail.  Is there a way to do this?
>
> Where do you keep this users credentials? Disable the auth account.

Yes thanks, that works.  Unfortunately, on our system this also
disables all other services for that user such as email reading and
server logins.  To fix this, I'd need to modify the authentication
server outside of Postfix (namely Dovecot) to reject the user somehow.

I was hoping that there was a way solely in Postfix that would allow
me to reject mail for a SASL login at the MAIL FROM/RCPT TO stage
rather than the authentication stage.

At this point, I'll just reject the user's main email address using
check_sender_access and REJECT, which is equivalent to all the crud
I wrote up below and would allow me to customize the message.

> > I found one way to do it, but it is not perfect.  I can block the
> > the email address of that user (the one they normally use) using
> > smtpd_sender_login_maps.  This doesn't prevent them from using another
> > email address, however.
> >
> > smtpd_recipient_restrictions =
> >     ...
> >     reject_sender_login_mismatch
> >     ...
> >
> > smtpd_sender_login_maps = regexp:/path/sender_login_map
> >
> > sender_login_map:
> >
> > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
> >
> > The unmatchable string is because I want the entry to exist for that
> > email address, but I don't want to list any string that could be
> > matched as a SASL username.
> >
> > Is this the right approach or have I missed something entirely?
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a particular authenticated user

Patrick Ben Koetter
* Julian Cowley <[hidden email]>:

> On Thu, 2 Sep 2010, Patrick Ben Koetter wrote:
> > * Julian Cowley <[hidden email]>:
> > > Hello,
> > >
> > > I would like to block a particular user who is authenticated using
> > > SASL from sending mail.  Is there a way to do this?
> >
> > Where do you keep this users credentials? Disable the auth account.
>
> Yes thanks, that works.  Unfortunately, on our system this also
> disables all other services for that user such as email reading and
> server logins.  To fix this, I'd need to modify the authentication
> server outside of Postfix (namely Dovecot) to reject the user somehow.

Add an additional condition if you use SQL or LDAP, something alone the lines
of "... AND active='TRUE'" to your query.


> I was hoping that there was a way solely in Postfix that would allow
> me to reject mail for a SASL login at the MAIL FROM/RCPT TO stage
> rather than the authentication stage.

Clients AUTH first and then they start a regular SMTP session. At least the
ones I know...

Why not disable AUTH in the persons client?

p@rick


> At this point, I'll just reject the user's main email address using
> check_sender_access and REJECT, which is equivalent to all the crud
> I wrote up below and would allow me to customize the message.
>
> > > I found one way to do it, but it is not perfect.  I can block the
> > > the email address of that user (the one they normally use) using
> > > smtpd_sender_login_maps.  This doesn't prevent them from using another
> > > email address, however.
> > >
> > > smtpd_recipient_restrictions =
> > >     ...
> > >     reject_sender_login_mismatch
> > >     ...
> > >
> > > smtpd_sender_login_maps = regexp:/path/sender_login_map
> > >
> > > sender_login_map:
> > >
> > > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
> > >
> > > The unmatchable string is because I want the entry to exist for that
> > > email address, but I don't want to list any string that could be
> > > matched as a SASL username.
> > >
> > > Is this the right approach or have I missed something entirely?

--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a particular authenticated user

Julian Cowley
In reply to this post by Stefan Seidel-2
On Thu, 2 Sep 2010, Stefan Seidel wrote:

> On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley <[hidden email]>
> wrote:
> > Hello,
> >
> > I would like to block a particular user who is authenticated using
> > SASL from sending mail.  Is there a way to do this?
> >
> > I found one way to do it, but it is not perfect.  I can block the
> > the email address of that user (the one they normally use) using
> > smtpd_sender_login_maps.  This doesn't prevent them from using another
> > email address, however.
> >
> > smtpd_recipient_restrictions =
> Why would you use _recipient_ restrictions to block a _sender_?

Habit, mostly.  If smtpd_delay_reject is true, which is the
default, then it doesn't really matter which list you put the
restrictions in.  It's pretty common to put all of the restrictions
into smtpd_recipient_restrictions so that all of the restrictions
are in one list where they are easier to find.

> >     ...
> >     reject_sender_login_mismatch
> >     ...
> >
> > smtpd_sender_login_maps = regexp:/path/sender_login_map
> >
> > sender_login_map:
> >
> > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
> >
> > Is this the right approach or have I missed something entirely?
>
> It is a good idea to use
>    smtpd_sender_restrictions = ..., reject_sender_login_mismatch, ...
> anyway, so why don't you try to introduce that, and then you can just not
> assign any sender address to this particular user, e.g.
>
>   sender_login_maps = hash:/etc/postfix/sender_permissions
>
> sender_permissions:
> @domain1.com validuser1
> @domain2.com validuser2

That certainly works, but not for my situation.  All of my valid users
are under one domain (mostly), so it wouldn't scale to list all of the
users except one on the right-hand side.

> -> then "unwanteduser" will not be able to send from either domain,
> because it's login name does not appear in any list of allowed accounts.

Seems like there ought to be an easier way, but I'm not sure Postfix has
it yet.  For now I'm using a workaround.

> Stefan
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a particular authenticated user

mouss-4
In reply to this post by Stefan Seidel-2
  Le 02/09/2010 09:55, Stefan Seidel a écrit :

> On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian Cowley<[hidden email]>
> wrote:
>> Hello,
>>
>> I would like to block a particular user who is authenticated using
>> SASL from sending mail.  Is there a way to do this?
>>
>> I found one way to do it, but it is not perfect.  I can block the
>> the email address of that user (the one they normally use) using
>> smtpd_sender_login_maps.  This doesn't prevent them from using another
>> email address, however.
>>
>> smtpd_recipient_restrictions =
> Why would you use _recipient_ restrictions to block a _sender_?
>

it is ok to do that. smtpd_mumble_restrictions correspond to stages, not
to input fields. putting most of the checks under
smtpd_recipient_restrictions is a common approach, because you have an
ordered linear list. (I am assuming  smtpd_delay_reject=yes).
[snip]
Reply | Threaded
Open this post in threaded view
|

Re: Blocking a particular authenticated user

Noel Jones-2
On 9/2/2010 4:51 PM, mouss wrote:

> Le 02/09/2010 09:55, Stefan Seidel a écrit :
>> On Wed, 1 Sep 2010 16:33:31 -1000 (HST), Julian
>> Cowley<[hidden email]>
>>> smtpd_recipient_restrictions =
>> Why would you use _recipient_ restrictions to block a _sender_?
>>
>
> it is ok to do that. smtpd_mumble_restrictions correspond to
> stages, not to input fields. putting most of the checks under
> smtpd_recipient_restrictions is a common approach, because you
> have an ordered linear list. (I am assuming
> smtpd_delay_reject=yes).
> [snip]

Nitpick:

You don't need smtpd_delay_reject=yes to use sender checks
under smtpd_recipient_restrictions; the sender will always be
available at that time.

You do need smtpd_delay_reject=yes when you want to use
restrictions "out of order", ie. use smtpd_sender_restrictions
for recipient checks.

And yes, it is common and acceptable practice to put all
restrictions under smtpd_recipient_restrictions.

   -- Noel Jones

Reply | Threaded
Open this post in threaded view
|

Re: Blocking a particular authenticated user

Stan Hoeppner
Noel Jones put forth on 9/2/2010 5:37 PM:

> And yes, it is common and acceptable practice to put all restrictions
> under smtpd_recipient_restrictions.

Not only common, but as I discovered the hard way, it's very difficult,
nearly impossible, to manage some white listing scenarios if you don't
put all restrictions under smtpd_recipient_restrictions.  It's logically
and logistically very difficult to do this using the 4 separate
restrictions sections.

IIRC, many moons ago, Noel was the OP who guided me through that, and
was a big help.  Thanks again Noel.

--
Stan