- Previous message: mouss: "Re: reroute mail based on headers"
- Maybe in reply to: ram: "reject_authenticated_sender_login_mismatch only for some logins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: mouss (no email)
Date: Wed Mar 17 2010 - 18:15:13 EDT
ram a écrit :
> I need to implement smtpd login maps on our postfix servers so as
> minimize the chances of a compromised client machine screwing our smtp
> relay.
auth is good, but it's not enough. A compromised client can
authenticate. you still need rate limits and log parsing. and if so,
authentication becomes secondary...
>
> But this cannot be done overnight. There are various clients who use
> different envelope sender domains (for perfectly legitimate reasons) and
> I cannot get a mapping for all such entries.
>
> How can I use reject_authenticated_sender_login_mismatch only for some
> auth logins. Especially those who insist on using some junk mailserver
> in their offices and cannot sufficiently secure their network
>
you can make it a result of a check_access_*.
but you'd better provide two different access types. a "strict" one and
an "old" one. then enoucrage users to move to the strict one (with
incentives...).
>
> So I want to say
> if(sasl authenticated) {
> if(suspect client login) {
> reject_authenticated_sender_login_mismatch
> } else {
> allow sender_login_mismatch
> }
> }
>
>
> Thanks
> Ram
>
>
>
>
>
>
|
|
|