smtp_sender_restrictions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

smtp_sender_restrictions

Janis-2
Hello,

This is my first question to mailing list, so i hope i get this right.

I think it is better to describe general architecture first and then
what i am trying to achieve.

This Postfix instance is configured to use Dovecot SASL for LOGIN
function and permissions. That part works. SASL auth is configured so
that username is an email address. Only virtual mailboxes are used, but
in this instance it is not that important, since the question is only
about outgoing mail restrictions.

The problem is that authenticated senders can send "mail from" from
whatever they please if i do not place any restrictions. Thus i decided
to use:
smtp_sender_restrictions = reject_sender_login_mismatch

It limits "mail from" as expected, but the problem is that i must
"duplicate" kind of what i already have in Dovecot user database in
$smtpd_sender_login_maps file. I am using hash type for
$smtpd_sender_login_maps. It works very well with allowing to use "alias
e-mail" address as "mail from" as well.

What i would like to achieve is to permit sender to set "mail from" the
same value as his SASL auth username or some specially allowed "alias
e-mail" addresses that are defined somewhere. For example, if user1 is
allowed to respond for his company, he would authenticate as
[hidden email] and could set "mail from" 1) [hidden email] or 2)
[hidden email].

I can achieve this at the moment by writing both lines in login_maps
file, but it feels kind of wrong way to do things. Is there a way not to
duplicate Dovecot usernames and permit 1st case restriction in "mail
from" something like permit_sasl_username_as_mail_from?

I was looking directly at
http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions, but
none of the options seemed right for this use case. Maybe if i scratched
my head a bit, i could come up with some "tricky" SQL query as a
workaround and use reject_sender_login_mismatch, but maybe i have just
overlooked some simple setting, thus i ask for any input.

Thank you!

Best wishes,
Janis


Reply | Threaded
Open this post in threaded view
|

Re: smtp_sender_restrictions

Viktor Dukhovni
On Fri, Sep 18, 2020 at 07:01:26PM +0300, Janis wrote:

> What I would like to achieve is to permit sender to set "mail from" the
> same value as his SASL auth username or some specially allowed "alias
> e-mail" addresses that are defined somewhere. For example, if user1 is
> allowed to respond for his company, he would authenticate as
> [hidden email] and could set "mail from" 1) [hidden email] or 2)
> [hidden email].
>
> I can achieve this at the moment by writing both lines in login_maps
> file, but it feels kind of wrong way to do things. Is there a way not to
> duplicate Dovecot usernames and permit 1st case restriction in "mail
> from" something like permit_sasl_username_as_mail_from?
>
> I was looking directly at
> http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions, but
> none of the options seemed right for this use case.

Did you also look at:

    <http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>?

That text reads in part:

    Optional lookup table with the SASL login names that own the sender
    (MAIL FROM) addresses.

    Specify zero or more "type:name" lookup tables, separated by
            --------------------------------------
    whitespace or comma. Tables will be searched in the specified order
    until a match is found. With lookups from indexed files such as DB
    or DBM, or from networked tables such as NIS, LDAP or SQL, the
    following search operations are done with a sender address of
    user@domain:

Therefore, you can use:

    main.cf:
        indexed = ${default_database_type}:${config_directory}/
        pcre = pcre:${config_directory}/
        smpd_sender_login_maps =
            ${pcre}same-as-sender.pcre,
            ${indexed}adhoc

    same-as-sender.pcre:
        # [hidden email] [hidden email]
        /^(.*)$/        $1

    adhoc:
        # All the users allowed to send as "info@..."
        [hidden email] [hidden email], [hidden email], ...
       
> Maybe if i scratched
> my head a bit, i could come up with some "tricky" SQL query as a
> workaround and use reject_sender_login_mismatch, but maybe i have just
> overlooked some simple setting, thus i ask for any input.

SQL can be a good option if it meshes well with the provisioning process
and the list of adhoc mappings is fairly dynamic.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: smtp_sender_restrictions

Wietse Venema
In reply to this post by Janis-2
Janis:

> Hello,
>
> This is my first question to mailing list, so i hope i get this right.
>
> I think it is better to describe general architecture first and then
> what i am trying to achieve.
>
> This Postfix instance is configured to use Dovecot SASL for LOGIN
> function and permissions. That part works. SASL auth is configured so
> that username is an email address. Only virtual mailboxes are used, but
> in this instance it is not that important, since the question is only
> about outgoing mail restrictions.
>
> The problem is that authenticated senders can send "mail from" from
> whatever they please if i do not place any restrictions. Thus i decided
> to use:
> smtp_sender_restrictions = reject_sender_login_mismatch
>
> It limits "mail from" as expected, but the problem is that i must
> "duplicate" kind of what i already have in Dovecot user database in
> $smtpd_sender_login_maps file. I am using hash type for
> $smtpd_sender_login_maps. It works very well with allowing to use "alias
> e-mail" address as "mail from" as well.

You could use regular expressions:

/etc/postfix/main.cf:
    smtpd_sender_login_maps = pcre:/etc/postfix/sender_login

/etc/postfix/sender_login:
    # each sender is 'owned' by the login with the same name.
    /^(\S+@\S+)$/ $1

As long as the SASL login names are validated by trusted code,
this should be safe.

        Wietse

> What i would like to achieve is to permit sender to set "mail from" the
> same value as his SASL auth username or some specially allowed "alias
> e-mail" addresses that are defined somewhere. For example, if user1 is
> allowed to respond for his company, he would authenticate as
> [hidden email] and could set "mail from" 1) [hidden email] or 2)
> [hidden email].
>
> I can achieve this at the moment by writing both lines in login_maps
> file, but it feels kind of wrong way to do things. Is there a way not to
> duplicate Dovecot usernames and permit 1st case restriction in "mail
> from" something like permit_sasl_username_as_mail_from?
>
> I was looking directly at
> http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions, but
> none of the options seemed right for this use case. Maybe if i scratched
> my head a bit, i could come up with some "tricky" SQL query as a
> workaround and use reject_sender_login_mismatch, but maybe i have just
> overlooked some simple setting, thus i ask for any input.
>
> Thank you!
>
> Best wishes,
> Janis
>
>
>