Exception to login_mismatch with IP Whitelisting?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Exception to login_mismatch with IP Whitelisting?

Rick King
Postfix version: 3.1.1

Hello List!

We have a customer with a setup of enforcing a match between account FROM address and sasl username.

With the following this works as expected...

smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sender_login_maps = proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re

Now our customer has subscribed to Shopify, which apparently sends messages using the customer's email address as the FROM address. Which results in a rejection with a 553 5.7.1 Sender address rejected: not logged in.

<log snip>
Oct  6 13:16:58 mail postfix/smtpd[3285]: connect from smtp.shopify.com[35.225.139.175]
Oct  6 13:16:58 mail postfix/smtpd[3285]: NOQUEUE: reject: RCPT from smtp.shopify.com[35.225.139.175]: 553 5.7.1 <[hidden email]>: Sender address rejected: not logged in; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<smtp.shopify.com>
</log snip>

I've had limited success using check_sender_access using FROM addresses, but it doesn't use IP's only MAIL FROM addresses.

My questions is, is it possible to whitelist the IP's from Shopify with this config? The customer would prefer to use IP Whitelisting.


Best Regards,

--
Rick King



Reply | Threaded
Open this post in threaded view
|

Re: Exception to login_mismatch with IP Whitelisting?

Jaroslaw Rafa
Dnia  6.10.2020 o godz. 18:30:28 Rick King pisze:
>
> Now our customer has subscribed to Shopify, which apparently sends
> messages using the customer's email address as the FROM address. Which
> results in a rejection with a 553 5.7.1 Sender address rejected: not
> logged in.

So I understand you are enforcing authentication (and identity of sender
address to SASL username) on INCOMING mail that seems to be from your
domain? That's a very bad idea, it breaks forwarding, some mailing lists and
many other things. You should enforce authentication only on submission
service, not on general incoming mail.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."