Re: reject_authenticated_sender_login_mismatch only for some logins

From: mouss (no email)
Date: Wed Mar 17 2010 - 18:15:13 EDT

  • Next message: mouss: "Re: Remove Postfix From Message Headers"

    ram a écrit :
    > I need to implement smtpd login maps on our postfix servers so as
    > minimize the chances of a compromised client machine screwing our smtp
    > relay.

    auth is good, but it's not enough. A compromised client can
    authenticate. you still need rate limits and log parsing. and if so,
    authentication becomes secondary...

    >
    > But this cannot be done overnight. There are various clients who use
    > different envelope sender domains (for perfectly legitimate reasons) and
    > I cannot get a mapping for all such entries.
    >
    > How can I use reject_authenticated_sender_login_mismatch only for some
    > auth logins. Especially those who insist on using some junk mailserver
    > in their offices and cannot sufficiently secure their network
    >

    you can make it a result of a check_access_*.

    but you'd better provide two different access types. a "strict" one and
    an "old" one. then enoucrage users to move to the strict one (with
    incentives...).

    >
    > So I want to say
    > if(sasl authenticated) {
    > if(suspect client login) {
    > reject_authenticated_sender_login_mismatch
    > } else {
    > allow sender_login_mismatch
    > }
    > }
    >
    >
    > Thanks
    > Ram
    >
    >
    >
    >
    >
    >


  • Next message: mouss: "Re: Remove Postfix From Message Headers"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD