limit sasl usernames

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
mj
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

limit sasl usernames

mj
Hi all,

Is there a way to limit/restrict the usernames that are allowed to use
our postfix dovecot-sasl authenticated smtp relay?

We would like only *specific* usernames to be able to use the
authenticated relay. And currently everybody with dovecot imap access
can also use the relay. Is there a way to restrict that?

A simple list of usernames would work, or more advanced: dynamically
using an ldap lookup to check group membership.

Thanks in advance for pointers/tips,

MJ
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: limit sasl usernames

Matus UHLAR - fantomas
On 08.08.17 13:35, mj wrote:
>Is there a way to limit/restrict the usernames that are allowed to
>use our postfix dovecot-sasl authenticated smtp relay?

http://www.postfix.org/postconf.5.html#check_sasl_access
should be what you search for.

>We would like only *specific* usernames to be able to use the
>authenticated relay. And currently everybody with dovecot imap access
>can also use the relay. Is there a way to restrict that?
>
>A simple list of usernames would work, or more advanced: dynamically
>using an ldap lookup to check group membership.

I believe you could use ldap tables here.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: limit sasl usernames

Wietse Venema
In reply to this post by mj
mj:
> Hi all,
>
> Is there a way to limit/restrict the usernames that are allowed to use
> our postfix dovecot-sasl authenticated smtp relay?

In smtpd_client_restrictions, use check_sasl_access:

   check_sasl_access type:table
          Use  the remote SMTP client SASL user name as lookup key for the
          specified access(5) database. The lookup key has the form "user-
          name@domainname"   when  the  smtpd_sasl_local_domain  parameter
          value is non-empty.   Unlike  the  check_client_access  feature,
          check_sasl_access  does not perform matches of parent domains or
          IP subnet ranges.  This feature is available with  Postfix  ver-
          sion 2.11 and later.

        Wietse
mj
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: limit sasl usernames

mj
Hi all,

On 08/08/2017 04:05 PM, Wietse Venema wrote:
> mj:
> In smtpd_client_restrictions, use check_sasl_access:

Thanks very much, for the replies, both on- and off-list!

MJ
Loading...