SASL login and Mail From field mismatch

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SASL login and Mail From field mismatch

mate200
Hello everyone !

I'm trying to achieve a simple thing. Then user logins via SASL and sends mail, I want postfix to check that SASL login is identical to MAIL FROM filed.

As I can see, I can do that with 'reject_sender_login_mismatch', but usage of this option implies usage of 'smtpd_sender_login_maps'. 
The problem is that I use MS AD as user list provider, so firstly, I thought about some tricky filter to achieve this, but I can't think up something workable. Second option is to create some hash 'file' and fill it with maps, but truly speaking I don't want to do this because it's a manual work. Of course, I may do some script to download info from AD and put it to the file. However, maybe another options exist too ?

I don't need user to be able to write as another user, so simple variable comparison like '$sasl_user == $mail_from' would be a prefect match.


Thanks in advance.

-- 
Best regards,
Mate200

Reply | Threaded
Open this post in threaded view
|

Re: SASL login and Mail From field mismatch

Robert Schetterer-2
Am 25.03.2018 um 18:44 schrieb [hidden email]:

> Hello everyone !
>
> I'm trying to achieve a simple thing. Then user logins via SASL and
> sends mail, I want postfix to check that SASL login is identical to MAIL
> FROM filed.
>
> As I can see, I can do that with 'reject_sender_login_mismatch', but
> usage of this option implies usage of 'smtpd_sender_login_maps'. 
> The problem is that I use MS AD as user list provider, so firstly, I
> thought about some tricky filter to achieve this, but I can't think up
> something workable. Second option is to create some hash 'file' and fill
> it with maps, but truly speaking I don't want to do this because it's a
> manual work. Of course, I may do some script to download info from AD
> and put it to the file. However, maybe another options exist too ?
>
> I don't need user to be able to write as another user, so simple
> variable comparison like '$sasl_user == $mail_from' would be a prefect
> match.
>
>
> Thanks in advance.
>
> --
>
> Best regards,
> Mate200
>
>

do want something like this ?

https://github.com/croessner/vrfydmn


Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

Re: SASL login and Mail From field mismatch

Viktor Dukhovni
In reply to this post by mate200


> On Mar 25, 2018, at 12:44 PM, [hidden email] wrote:
>
> I'm trying to achieve a simple thing. Then user logins via SASL and sends mail, I want postfix to check that SASL login is identical to MAIL FROM filed.

Postfix does not support this directly. You'd need a milter or content filter for that.
One that receives the SASL user name and rewrites the "From" header accordingly.

> As I can see, I can do that with 'reject_sender_login_mismatch', but usage of this option implies usage of 'smtpd_sender_login_maps'.

Actually, no, because that checks the envelope sender, not the From: header.

> The problem is that I use MS AD as user list provider, so firstly, I thought about some tricky filter to achieve this, but I can't think up something workable.

It should be possible to construct an LDAP query that queries for "mail" and returns
SAMAccountName.  However, that still does not check the fact that you'll be
filtering the envelope sender.

For the From: header one would want not only the email address that matches the login name, but also the displayName.  This is not something that Postfix can do directly.
As mentioned above, that'd be a job for a content_filter or milter.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: SASL login and Mail From field mismatch

mate200


On Sun, 2018-03-25 at 13:49 -0400, Viktor Dukhovni wrote:
On Mar 25, 2018, at 12:44 PM, [hidden email] wrote: I'm trying to achieve a simple thing. Then user logins via SASL and sends mail, I want postfix to check that SASL login is identical to MAIL FROM filed.
Postfix does not support this directly. You'd need a milter or content filter for that. One that receives the SASL user name and rewrites the "From" header accordingly.
As I can see, I can do that with 'reject_sender_login_mismatch', but usage of this option implies usage of 'smtpd_sender_login_maps'.
Actually, no, because that checks the envelope sender, not the From: header.
The problem is that I use MS AD as user list provider, so firstly, I thought about some tricky filter to achieve this, but I can't think up something workable.
It should be possible to construct an LDAP query that queries for "mail" and returns SAMAccountName. However, that still does not check the fact that you'll be filtering the envelope sender. For the From: header one would want not only the email address that matches the login name, but also the displayName. This is not something that Postfix can do directly. As mentioned above, that'd be a job for a content_filter or milter.


Viktor, thank you for your reply ! 

Your answer have helped me a lot. I should definitely read about mail structure. Will do then I'll have a time for that.

Thanks once again.

-- 
Best regards,
Mate200
Reply | Threaded
Open this post in threaded view
|

Re: SASL login and Mail From field mismatch

mate200
In reply to this post by Robert Schetterer-2

On Sun, 2018-03-25 at 19:18 +0200, Robert Schetterer wrote:
Am 25.03.2018 um 18:44 schrieb [hidden email]:
Hello everyone ! I'm trying to achieve a simple thing. Then user logins via SASL and sends mail, I want postfix to check that SASL login is identical to MAIL FROM filed. As I can see, I can do that with 'reject_sender_login_mismatch', but usage of this option implies usage of 'smtpd_sender_login_maps'.  The problem is that I use MS AD as user list provider, so firstly, I thought about some tricky filter to achieve this, but I can't think up something workable. Second option is to create some hash 'file' and fill it with maps, but truly speaking I don't want to do this because it's a manual work. Of course, I may do some script to download info from AD and put it to the file. However, maybe another options exist too ? I don't need user to be able to write as another user, so simple variable comparison like '$sasl_user == $mail_from' would be a prefect match. Thanks in advance. -- Best regards, Mate200
do want something like this ? https://github.com/croessner/vrfydmn Best Regards MfG Robert Schetterer


Marvelous tool !!! ! It should does what I need.

Thank you Robert !

-- 
Best regards,
Mate200