check_sasl_access question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
mj
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

check_sasl_access question

mj
Hi,

I would like to only allow sasl authenticated relay for specific users,
so I have in main.cf:

smtpd_relay_restrictions = permit_mynetworks, check_sasl_access
hash:/etc/postfix/sasl_list,....

and in /etc/postfix/sasl_list:
username1 OK
username2 REJECT
username3 OK
* REJECT

The config works. I tested: username1 can relay, username2 cannot.

However, I want to blacklist ALL my users, except username1 / username3,
so the line with "*" is ignored.

Googled and googled, but I can't find: How can I enter wildcards in that
file, or otherwise get the same result?

This is postfix 2.11.2

MJ
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: check_sasl_access question

Viktor Dukhovni
On Fri, Aug 11, 2017 at 11:20:35PM +0200, mj wrote:

> I would like to only allow sasl authenticated relay for specific users, so I
> have in main.cf:
>
> smtpd_relay_restrictions = permit_mynetworks, check_sasl_access
> hash:/etc/postfix/sasl_list,....
>
> and in /etc/postfix/sasl_list:
> username1 OK
> username2 REJECT
> username3 OK
> * REJECT

"*" does not (and is not documented to) work as a wildcard in
indexed file tables.

> However, I want to blacklist ALL my users, except username1 / username3, so
> the line with "*" is ignored.

Far simpler:

    indexed = ${default_database_type}:${config_directory}/
    smtpd_relay_restrictions =
        permit_mynetworks,
        check_sasl_access ${indexed}sasl_list,
        reject_unauth_destination

    /etc/postfix/sasl_list:
        username1 OK
        username3 OK

With this, you only need to list the permitted users, there's no
need to list the rejects, these are handled by the required "default
deny" restriction at the end.

A user who wants to bypass explicit rejection can just remain
anonymous, by omitting authentication, and be rejected only when
attempting to relay, like everyone else.

--
        Viktor.
mj
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: check_sasl_access question

mj
Hi Viktor!

Thanks for the quick reply!

On 08/11/2017 11:37 PM, Viktor Dukhovni wrote:

> Far simpler:
>
>      indexed = ${default_database_type}:${config_directory}/
>      smtpd_relay_restrictions =
> permit_mynetworks,
> check_sasl_access ${indexed}sasl_list,
> reject_unauth_destination
>
>      /etc/postfix/sasl_list:
> username1 OK
>       username3 OK
>
> With this, you only need to list the permitted users, there's no
> need to list the rejects, these are handled by the required "default
> deny" restriction at the end.
But.... where is the "default deny" at the end?

Because this does not look very different from my config:

> smtpd_relay_restrictions = permit_mynetworks, check_sasl_access hash:/etc/postfix/sasl_list, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access pcre:$config_directory/x-add-envelope-to

I don't see much difference..? (except the indexed = $....)

What am I missing/not seeing?

MJ
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: check_sasl_access question

Viktor Dukhovni
On Sat, Aug 12, 2017 at 12:02:18AM +0200, mj wrote:

> > Far simpler:
> >
> >    indexed = ${default_database_type}:${config_directory}/
> >    smtpd_relay_restrictions =
> >    permit_mynetworks,
> >    check_sasl_access ${indexed}sasl_list,
> >    reject_unauth_destination
> >
> >     /etc/postfix/sasl_list:
> > username1 OK
> >     username3 OK
> >
> > With this, you only need to list the permitted users, there's no
> > need to list the rejects, these are handled by the required "default
> > deny" restriction at the end.
>
> But.... where is the "default deny" at the end?

        reject_unauth_destination

> What am I missing/not seeing?

The "reject_unauth_destination" rejects all relay attempts, permitting
only inbound mail.  If you allow inbound mail from anonymous users,
there's no point in blocking it from specific authenticated users.

--
        Viktor.
mj
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: check_sasl_access question

mj
Hi!

Right! Remove permit_sasl_authenticated and keep check_sasl_access
hash:/etc/postfix/sasl_list

Thanks! It works!

MJ
Loading...