Reverse smtpd_sender_login_maps

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Reverse smtpd_sender_login_maps

Tom Sommer
I'm trying to get smtpd_sender_login_maps to allow any sasl-auth'd user
to only send from the domain they are logged in as.

So SASL user "[hidden email]" would be able to send only from
"@example.com".

So far I have no luck turning the lookup table into this, is it even
possible?

Thanks
--
Tom
Reply | Threaded
Open this post in threaded view
|

Re: Reverse smtpd_sender_login_maps

Vieri Di Paola
On Wed, Oct 7, 2020 at 2:34 PM Tom Sommer <[hidden email]> wrote:
>
> So SASL user "[hidden email]" would be able to send only from
> "@example.com".

smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre

content of /etc/postfix/login_maps.pcre:
/^(.*)@your(own)?domain\.org$/   ${1}

This would force sasl-authed user "me" to only send from
[hidden email] or [hidden email].
You can change the regex to allow from @domain instead.
Reply | Threaded
Open this post in threaded view
|

Re: Reverse smtpd_sender_login_maps

Dominic Raferd
On Wed, 7 Oct 2020 at 14:04, Vieri Di Paola <[hidden email]> wrote:

>
> On Wed, Oct 7, 2020 at 2:34 PM Tom Sommer <[hidden email]> wrote:
> >
> > So SASL user "[hidden email]" would be able to send only from
> > "@example.com".
>
> smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre
>
> content of /etc/postfix/login_maps.pcre:
> /^(.*)@your(own)?domain\.org$/   ${1}
>
> This would force sasl-authed user "me" to only send from
> [hidden email] or [hidden email].
> You can change the regex to allow from @domain instead.

If, for authenticated users, you also want to enforce an *exact match*
between the Envelope Sender and the mail address in the 'From:'
header, this is offered by the milter at
https://github.com/magcks/milterfrom (but I have not tested it).

To enforce a domain-only match between the Envelope Sender and the
mail address in the 'From:' header the only way I can think of is to
use DMARC with p=reject, which is a big hammer for the given nut. Can
postfwd help here?
Reply | Threaded
Open this post in threaded view
|

Re: Reverse smtpd_sender_login_maps

Tom Sommer
In reply to this post by Vieri Di Paola


On 2020-10-07 15:03, Vieri Di Paola wrote:
> On Wed, Oct 7, 2020 at 2:34 PM Tom Sommer <[hidden email]> wrote:
>>
>> So SASL user "[hidden email]" would be able to send only from
>> "@example.com".
>
> smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre
>
> content of /etc/postfix/login_maps.pcre:
> /^(.*)@your(own)?domain\.org$/   ${1}


yea, this far I got. But I need the domain to be dynamic/wildcard (since
there are hundreds of thousands of domains).

---
Tom
Reply | Threaded
Open this post in threaded view
|

Re: Reverse smtpd_sender_login_maps

Tom Sommer
In reply to this post by Dominic Raferd


On 2020-10-07 16:28, Dominic Raferd wrote:
> On Wed, 7 Oct 2020 at 14:04, Vieri Di Paola <[hidden email]>
> wrote:
>>
>> On Wed, Oct 7, 2020 at 2:34 PM Tom Sommer <[hidden email]> wrote:
>> >
>> > So SASL user "[hidden email]" would be able to send only from
>> > "@example.com".

>> This would force sasl-authed user "me" to only send from
>> [hidden email] or [hidden email].
>> You can change the regex to allow from @domain instead.
>
> If, for authenticated users, you also want to enforce an *exact match*
> between the Envelope Sender and the mail address in the 'From:'
> header, this is offered by the milter at
> https://github.com/magcks/milterfrom (but I have not tested it).

Not a bad idea to write a policy_service for this, should be rather
simple to do (If there is no built-in solution)

---
Tom