How to force SMTP AUTH to restrict Sender Addresses…
in [Postfix]
|
From: "Andrew G. Grant" on 17 Jun 2010 10:30 Jose, Unfortunately, looking at another server OS doesn't help me to find the answer to this question. But thank you for the suggestion. I am still trying to find out how Apple OS X Server 10.6.3 (Darwin Kernel Version 10.3.0), running Postfix 2.5.5, Amavisd, ClamAV, SpamAssassin, Dovecot, and Squirrel Mail can have SASL access Open Directory's LDAP when Postfix isn't compiled on my system to use LDAP library types? This all revolves around finding a way to use: reject_sender_login_mismatch on smtpd_sender_restrictions without having to keep a separate smtpd_sender_login_maps hash file updated. Currently, I believe SASL is using Open Directory to reference User Name and Password information for SASL to work, as I haven't duplicated this information anywhere. Since my Postfix is not compiled to use LDAP, how is SASL accessing Open Directory information? If SASL can access Open Directory, why can't Postfix access Open Directory to lookup smtpd_sender_login_maps? Postconf -m: btree cidr environ hash pcre proxy regexp static unix Postconf -n: 2bounce_notice_recipient = mail-notification biff = no bounce_notice_recipient = mail-notification broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 delay_notice_recipient = mail-notification delay_warning_time = 1h enable_server_options = yes error_notice_recipient = mail-notification header_checks = pcre:/etc/postfix/custom_header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all local_recipient_maps = mail_owner = _postfix mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maps_rbl_domains = message_size_limit = 0 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = local mydomain_fallback = localhost myhostname = mail.caddock.com mynetworks = 127.0.0.0/8,127.0.0.1/32,10.1.2.241 newaliases_path = /usr/bin/newaliases notify_classes = policy, protocol, resource, software queue_directory = /private/var/spool/postfix readme_directory = /usr/share/doc/postfix recipient_delimiter = + relayhost = msg.caddock.com sample_directory = /usr/share/doc/postfix/examples sendmail_path = /usr/sbin/sendmail setgid_group = _postdrop smtp_sasl_auth_enable = no smtp_sasl_password_maps = smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit smtpd_delay_reject = yes smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_pw_server_security_options = cram-md5, gssapi smtpd_recipient_restrictions = permit_sasl_authenticated check_recipient_access hash:/etc/postfix/classes/restricted_recipients_list check_sender_access hash:/etc/postfix/classes/restricted_senders_list reject_unauth_pipelining reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unauth_destination check_policy_service unix:private/policy permit smtpd_restriction_classes = restricted_recipients_list, restricted_senders_list, mgmt_sender_access, everyone_sender_access, notify_sender_access, aeclerk_sender_access, send_only_list, internal_domains smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sender_login_maps = hash:/etc/postfix/classes/sender_login_names smtpd_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_tls_CAfile = /etc/certificates/mail.caddock.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.chain.pem smtpd_tls_cert_file = /etc/certificates/mail.caddock.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.cert.pem smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL smtpd_tls_key_file = /etc/certificates/mail.caddock.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.key.pem smtpd_use_pw_server = yes smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps =
From: Jose Ildefonso Camargo Tolosa on 17 Jun 2010 23:31
Greetings, On Thu, Jun 17, 2010 at 10:00 AM, Andrew G. Grant <andrew.grant(a)caddock.com> wrote: > Jose, > > Unfortunately, looking at another server OS doesn't help me to find the > answer to this question. But thank you for the suggestion. I know, but it would simplify your life. > > I am still trying to find out how Apple OS X Server 10.6.3 > (Darwin Kernel Version 10.3.0), running Postfix 2.5.5, Amavisd, > ClamAV, SpamAssassin, Dovecot, and Squirrel Mail can have > SASL access Open Directory's LDAP when Postfix isn't compiled > on my system to use LDAP library types? Postfix doesn't do SASL on its own, it depends on Dovecot or Cyrus, just read here: http://www.postfix.org/SASL_README.html > > This all revolves around finding a way to use: > reject_sender_login_mismatch on smtpd_sender_restrictions > without having to keep a separate smtpd_sender_login_maps > hash file updated. If you want to be able to use postfix with ldap tables, you *must* have the ldap support, off course, postfix support "plug-ins" architecture, so, it is likely that you just need to add the ldap part. As for Mac: I don't know exactly how to do it, but in the worst of the cases, it would involved recompiling postfix (or, maybe, compile the plug-in). I don't know how to do it, because I use Debian, and I just had to install the package: postfix-ldap, and everything was just fine after that. > > Currently, I believe SASL is using Open Directory to reference > User Name and Password information for SASL to work, as I haven't > duplicated this information anywhere. > > Since my Postfix is not compiled to use LDAP, how is SASL accessing > Open Directory information? By default this uses cyrus sasl, so, you should check for it on your system. > > If SASL can access Open Directory, why can't Postfix access Open Directory > to lookup smtpd_sender_login_maps? > I hope this helps, Ildefonso Camargo |