Re: Double restrictions for SMTP Authen question ?

From: Victor Duchovni (no email)
Date: Wed May 30 2007 - 09:57:22 EDT

  • Next message: Craig Skinner: "Re: about greylist.pl and alternatives"

    On Wed, May 30, 2007 at 02:46:48PM +0700, Truong Tan Son wrote:

    > It is correct. But it need login/password even recipient is in LAN.
    >

    No, internal recipients are allowed by permit_auth_destination, and
    are not rejected by reject_unauth_destination, so in both sender
    and recipient restrictions they get through without SASL.

    > Victor Duchovni wrote:
    > >On Wed, May 30, 2007 at 01:23:24PM +0700, Truong Tan Son wrote:
    > >
    > >>if (client_ip in LAN) then
    > >> if (sender in SASL_user) then
    > >> if (to_recipient in Internet) then
    > >> if (sender in permit_sender) then
    > >> ok
    > >
    > > ??? Authenticated user or sender address ???
    > Authenticated sender address (MAIL FROM:)
    > >
    > >> else
    > >> reject
    > >> fi
    > else
    > if (to_recipient in LAN) then
    > ok
    > >> fi
    > > else
    > > ??? What if sender is not SASL authenticated ???
    > reject
    > >> fi
    > > else
    > > ??? What if the client IP is not on your LAN ???
    > permit some ip_MTA of related subdomains.
    >
    > >>fi
    > >
    > >Sounds like you want to limit access to to outbound email to authenticated
    > >users on your LAN who submit directly to your outbound submission service,
    > >and specifically to a subset of those users who are listed in some access
    > >table. This is possible, but slightly indirectly:
    > >
    > > smtpd_sender_login_maps = hash:/etc/postfix/sender_login
    > >
    > > smtpd_sender_restrictions =
    > > # Only filter outbound mail
    > > permit_auth_destination,
    > > # Reject remote clients
    > > check_client_access cidr:/etc/postfix/reject_remote.cidr,
    > > # Enforce sender<->login consistency
    > > reject_sender_login_mismatch,
    > > # Apply sender address ACL
    > > check_sender_access hash:/etc/postfix/sender_out_acl,
    > > # Reject if not whitelisted above
    > > reject
    > >
    > > smtpd_recipient_restrictions =
    > ># Outbound relay requires SASL
    > > permit_sasl_authenticated,
    > ># Everything else must be inbound
    > >reject_unauth_destination,
    > ># UCE controls.
    > >
    > >sender_login:
    > > joelogin
    > > ...
    > >
    > >reject_remote.cidr:
    > > 192.0.2.0/24 DUNNO May relay if authenticated ...
    > > 0.0.0.0/0 REJECT Relay access denied
    > >
    > >
    > >sender_out_acl:
    > > OK to relay from LAN when authenticated as joelogin
    > >
    > >
    > >--
    > >Viktor.
    > >
    > >Disclaimer: off-list followups get on-list replies or get ignored.
    > >Please do not ignore the "Reply-To" header.
    > >
    > >To unsubscribe from the postfix-users list, visit
    > >http://www.postfix.org/lists.html or click the link below:
    > ><mailto:?body=unsubscribe%20postfix-users>
    > >
    > >If my response solves your problem, the best way to thank me is to not
    > >send an "it worked, thanks" follow-up. If you must respond, please put
    > >"It worked, thanks" in the "Subject" so I can delete these quickly.
    >

    -- 
    	Viktor.
    Disclaimer: off-list followups get on-list replies or get ignored.
    Please do not ignore the "Reply-To" header.
    To unsubscribe from the postfix-users list, visit
    http://www.postfix.org/lists.html or click the link below:
    <mailto:?body=unsubscribe%20postfix-users>
    If my response solves your problem, the best way to thank me is to not
    send an "it worked, thanks" follow-up. If you must respond, please put
    "It worked, thanks" in the "Subject" so I can delete these quickly.
    

  • Next message: Craig Skinner: "Re: about greylist.pl and alternatives"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD