From: Rene van Hoek (no email)
Date: Mon May 28 2007 - 02:26:46 EDT
Truong Tan Son wrote:
> Dear Sir,
>
> I hesitate when using parameters of Postfix.
>
> smtpd_sender_restrictions = option1, option2
>
> Check "option2" after passing "option1".
> Result = option1 && option2.
With 'smtpd_sender_restrictions' the operands are not interperted with a
'and' operator. See:
http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions
'Restrictions are applied in the order as specified; the first
restriction that matches wins.'
So if 'option1' is 'true', 'option2' is not considered.
>
> ==My scenario===
>
> mynetworks = 127.0.0.1/8, 172.16.20.0/25, 172.16.30.0/25
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_reject_unlisted_recipient = yes
> broken_sasl_auth_clients = yes
>
> smtpd_sender_login_maps = hash:/etc/postfix/login_maps
>
> smtpd_sender_restrictions = check_sender_access
> hash:/etc/postfix/sender_access \
> check_client_access cidr:/etc/postfix/client_access\
> reject_unlisted_sender,reject_sender_login_mismatch \
> reject_unauthenticated_sender_login_mismatch \
> permit_sasl_authenticated
>
> #/etc/postfix/sender_access
> permit_mynetwork, reject
>
> ip address clients : 172.16.20.1
> 172.16.20.2
>
>
You have 'permit_sasl_authenticated' rather 'late' in your restrictions
list. Consider moving it up. What is in your '/etc/postfix/client_access'.
This is my config:
smtpd_recipient_restrictions =
permit_sasl_authenticated
reject_unauth_destination
permit_mynetworks
[other checks]
Please make sure you have 'reject_unauth_destination' in the correct
place, otherwise you can make your mta an open-relay.
Please see: http://www.postfix.org/SMTPD_ACCESS_README.html#danger
> SASL Authen did not check logged in, not reject_sender_login_mismatch,
> ...It passes all senders in networks.
>
>
>
> What is wrong and how to make SASL Authen work in this case ?
>
>
>
>
> Thanks you and best regards,
> --
> Truong Tan Son.
>
>
>
>
Greetings,
Rene van Hoek
|
|
|