using smtpd_sender_login_maps for diagnostic

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

using smtpd_sender_login_maps for diagnostic

Patrick Proniewski
Hello,

I would like to progressively restrict the ability for users to impersonate other email addresses when they use our authenticated SMTP (Postfix + Dovecot). We have about 2500 users on this SMTP server but we have about 50K total users and 60K email adresses.
As a first step I would like to setup a diagnostic to find out who is sending emails that would violate a given smtpd_sender_login_maps, without triggering a true Reject. A line in the log file would be great.

Is that possible?

Thanks,
Patrick
Reply | Threaded
Open this post in threaded view
|

Re: using smtpd_sender_login_maps for diagnostic

Wietse Venema
[hidden email]:
> Hello,

>I would like to progressively restrict the ability for users to
>impersonate other email addresses when they use our authenticated
>SMTP (Postfix + Dovecot). We have about 2500 users on this SMTP
>server but we have about 50K total users and 60K email adresses.
>As a first step I would like to setup a diagnostic to find out who
>is sending emails that would violate a given smtpd_sender_login_maps,
>without triggering a true Reject. A line in the log file would be
>great.
>
>Is that possible?

Postfix has a universal "warn if you would reject" feature:

/etc/postfix/main.cf:
    smtpd_mumble_restrictions =
        ...
        warn_if_reject reject_sender_login_mismatch
        ...

It's designed for testing new rules.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: using smtpd_sender_login_maps for diagnostic

Patrick Proniewski
February 21, 2020 4:00 PM, "Wietse Venema" <[hidden email]> wrote:

> [hidden email]:
>
>> Hello,
>>
>> I would like to progressively restrict the ability for users to
>> impersonate other email addresses when they use our authenticated
>> SMTP (Postfix + Dovecot). We have about 2500 users on this SMTP
>> server but we have about 50K total users and 60K email adresses.
>> As a first step I would like to setup a diagnostic to find out who
>> is sending emails that would violate a given smtpd_sender_login_maps,
>> without triggering a true Reject. A line in the log file would be
>> great.
>>
>> Is that possible?
>
> Postfix has a universal "warn if you would reject" feature:
>
> /etc/postfix/main.cf:
> smtpd_mumble_restrictions =
> ...
> warn_if_reject reject_sender_login_mismatch
> ...
>
> It's designed for testing new rules.


It rings a bell, my bad!

Thanks a lot
Patrick
Reply | Threaded
Open this post in threaded view
|

Re: using smtpd_sender_login_maps for diagnostic

Wietse Venema
[hidden email]:

> > Postfix has a universal "warn if you would reject" feature:
> >
> > /etc/postfix/main.cf:
> > smtpd_mumble_restrictions =
> > ...
> > warn_if_reject reject_sender_login_mismatch
> > ...
> >
> > It's designed for testing new rules.
>
> It rings a bell, my bad!

BTW in header/body_checks maps one would just prepend "WARN" to the
lookup result. Thus, to test "reject bad attachment type" specify
"warn reject bad attachment type". Prepending "WARN" should work
in access maps, too.

        Wietse