reject_sender_login_mismatch exception

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

reject_sender_login_mismatch exception

Marek Kozlowski-2
:-)

I have all users in an LDAP database and store users' aliases, virtuals,
canonicals, forwards etc as attributes. For that purpose using the
`reject_sender_login_mismatch' seems to be a simple and powerful
solution for increasing security and I'm using it. Excluding some e-mail
addresses from this restriction if necessary is not a problem. The
problem is:
I'd like to allow sending mail from some certain hosts as some certain
users without SASL authentication. Let's say:

[hidden email] from host1.mydomain.com
[hidden email] from host2.mydomain.com
[hidden email] from host3.mydomain.com

That is: any process running on `host1' may send e-mail as `user1' (and
only that user!) without SASL authentication but e-mails from `user1'
from any other host require SASL authentication as `user1'. Same for
`user2' and `user3'. I can find solutions for host exceptions. I can
find solutions for user exceptions. Unfortunately I cannot find a
solution that combines both. May I ask for a suggestion?

Best regards,
Marek


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: reject_sender_login_mismatch exception

Bill Cole-3
On 7 Jun 2018, at 12:07, Marek Kozlowski wrote:

> :-)
>
> I have all users in an LDAP database and store users' aliases,
> virtuals, canonicals, forwards etc as attributes. For that purpose
> using the `reject_sender_login_mismatch' seems to be a simple and
> powerful solution for increasing security and I'm using it. Excluding
> some e-mail addresses from this restriction if necessary is not a
> problem. The problem is:
> I'd like to allow sending mail from some certain hosts as some certain
> users without SASL authentication. Let's say:
>
> [hidden email] from host1.mydomain.com
> [hidden email] from host2.mydomain.com
> [hidden email] from host3.mydomain.com
>
> That is: any process running on `host1' may send e-mail as `user1'
> (and only that user!) without SASL authentication but e-mails from
> `user1' from any other host require SASL authentication as `user1'.
> Same for `user2' and `user3'. I can find solutions for host
> exceptions. I can find solutions for user exceptions. Unfortunately I
> cannot find a solution that combines both. May I ask for a suggestion?

Look at the "Restriction Class" feature. See
http://www.postfix.org/RESTRICTION_CLASS_README.html

Effectively, restriction classes are a way of applying distinct sets of
restrictions (i.e. entries that can exist in smtpd_*_restrictions lists)
to various sets of users. So you might have something like:


main.cf:

    smtpd_restriction_classes = user1,user2,user3
    user1 = check_client_access inline:{ host1.mydomain.com=permit }
    user2 = check_client_access inline:{ host2.mydomain.com=permit }
    user3 = check_client_access inline:{ host3.mydomain.com=permit }
    smtpd_recipient_restrictions = [...] permit_sasl_authenticated
       check_sender_access inline:{[hidden email]=user1,
[hidden email]=user2, [hidden email]=user2}
       [...]