LDAP smtpd_sender_login_maps @domain owner

• Previous message: Randy Ramsdell: "Re: virtual_alias_domain problem"
• Next in thread: Victor Duchovni: "Re: LDAP smtpd_sender_login_maps @domain owner"
• Maybe reply: Victor Duchovni: "Re: LDAP smtpd_sender_login_maps @domain owner"
• Maybe reply: Gary C. New: "Re: LDAP smtpd_sender_login_maps @domain owner"
• Maybe reply: Victor Duchovni: "Re: LDAP smtpd_sender_login_maps @domain owner"
• Maybe reply: Gary C. New: "Re: LDAP smtpd_sender_login_maps @domain owner"
• Maybe reply: Victor Duchovni: "Re: LDAP smtpd_sender_login_maps @domain owner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am trying to secure our postfix server from forged
UCE that originates and is destine for a domain on the
same server. From my research, the best way to
accomplish this seems to be with SMTP Auth,
reject_sender_login_mismatch, and
smtpd_sender_login_maps. The current configuration
makes use of our LDAP server for virtual_maps and we
would prefer to do the same with the
smtpd_sender_login_maps.

While we are able to configure
reject_sender_login_mismatch and ldap based
smtpd_sender_login_maps on a basic per user at domain
level, we have a number of users who have multiple
sender addresses and domains that send email through a
primary SMTP Auth'ed sender address. The current
user at domain level mapping disables these users from
sending email messages outside of the primary sender
address.

The following is our current ldap based
smtpd_sender_login_maps:

ldaploginmaps_server_host = 127.0.0.1
ldaploginmaps_server_port = 389
ldaploginmaps_bind = yes
ldaploginmaps_bind_dn =
uid=postfix,ou=admins,dc=test,dc=org
ldaploginmaps_bind_pw = ******
ldaploginmaps_timeout = 5
ldaploginmaps_search_base = dc=test,dc=org
ldaploginmaps_query_filter =
(|(mailLocalAddress=%s)(mailAlias=%s))
ldaploginmaps_result_attribute = mailRoutingAddress,
mailForwardingAddress
ldaploginmaps_lookup_wildcards = no

In the sample-smtpd.cf it shows the search order of
smtpd_sender_login_maps to be user at domain, user, and
@domain, respectively. While our users have several
different user addresses, they are quite commonly
under a single @domain. Would it be possible to
configure the ldap based smtpd_sender_login_maps to
match on the @domain level of the search order? How
might this be accomplished?

Is the @domain search part of the query_filter or the
result_attribute? Does the @domain require the "@"
symbol to be prepended to the domain (@test.org)? If
so, how might we prepend the "@" symbol to the
beginning of the domain (result_format = @%d)?

We essentially want to make sure a user is SMTP
Auth'ed before they are allowed to send a message from
any user or @domain on the server.

Thank you for your assistance.

Respectfully,

Gary

• Previous message: Randy Ramsdell: "Re: virtual_alias_domain problem"
• Next in thread: Victor Duchovni: "Re: LDAP smtpd_sender_login_maps @domain owner"
• Maybe reply: Victor Duchovni: "Re: LDAP smtpd_sender_login_maps @domain owner"
• Maybe reply: Gary C. New: "Re: LDAP smtpd_sender_login_maps @domain owner"
• Maybe reply: Victor Duchovni: "Re: LDAP smtpd_sender_login_maps @domain owner"
• Maybe reply: Gary C. New: "Re: LDAP smtpd_sender_login_maps @domain owner"
• Maybe reply: Victor Duchovni: "Re: LDAP smtpd_sender_login_maps @domain owner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]