Re: AND parameters of Postfix question ?

From: Rene van Hoek (no email)
Date: Mon May 28 2007 - 02:26:46 EDT

  • Next message: Truong Tan Son: "Re: AND parameters of Postfix question ?"

    Truong Tan Son wrote:
    > Dear Sir,
    >
    > I hesitate when using parameters of Postfix.
    >
    > smtpd_sender_restrictions = option1, option2
    >
    > Check "option2" after passing "option1".
    > Result = option1 && option2.

    With 'smtpd_sender_restrictions' the operands are not interperted with a
    'and' operator. See:
    http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions

    'Restrictions are applied in the order as specified; the first
    restriction that matches wins.'

    So if 'option1' is 'true', 'option2' is not considered.

    >
    > ==My scenario===
    >
    > mynetworks = 127.0.0.1/8, 172.16.20.0/25, 172.16.30.0/25
    > smtpd_sasl_auth_enable = yes
    > smtpd_sasl_authenticated_header = yes
    > smtpd_reject_unlisted_recipient = yes
    > broken_sasl_auth_clients = yes
    >
    > smtpd_sender_login_maps = hash:/etc/postfix/login_maps
    >
    > smtpd_sender_restrictions = check_sender_access
    > hash:/etc/postfix/sender_access \
    > check_client_access cidr:/etc/postfix/client_access\
    > reject_unlisted_sender,reject_sender_login_mismatch \
    > reject_unauthenticated_sender_login_mismatch \
    > permit_sasl_authenticated
    >
    > #/etc/postfix/sender_access
    > permit_mynetwork, reject
    >
    > ip address clients : 172.16.20.1
    > 172.16.20.2
    >
    >
    You have 'permit_sasl_authenticated' rather 'late' in your restrictions
    list. Consider moving it up. What is in your '/etc/postfix/client_access'.

    This is my config:

    smtpd_recipient_restrictions =
             permit_sasl_authenticated
             reject_unauth_destination
             permit_mynetworks
            [other checks]

    Please make sure you have 'reject_unauth_destination' in the correct
    place, otherwise you can make your mta an open-relay.

    Please see: http://www.postfix.org/SMTPD_ACCESS_README.html#danger

    > SASL Authen did not check logged in, not reject_sender_login_mismatch,
    > ...It passes all senders in networks.
    >
    >
    >
    > What is wrong and how to make SASL Authen work in this case ?
    >
    >
    >
    >
    > Thanks you and best regards,
    > --
    > Truong Tan Son.
    >
    >
    >
    >

    Greetings,

    Rene van Hoek


  • Next message: Truong Tan Son: "Re: AND parameters of Postfix question ?"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD