How to force SMTP AUTH to restrict Sender Addresses…
in [Postfix]
|
From: Andrew G. Grant on 15 Jun 2010 12:33 Hello, I have configured the default install of Postfix (version 2.5.5) on Apple OS X Server 10.6.3 (Darwin 10.3.0). Everything seems to run very well with the exception that once authenticated, a user can claim to be any valid email address on my network. I currently require SASL Authentication for all senders and the system is referencing the User Name and Password stored within Open Directory. I now have a desire to restrict senders to their email addresses listed within Open Directory. I want to make sure that the email address listed in OD is the only sending address a user can use based upon their SASL credentials. I tried to reference LDAP using , "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-aliases.cf" but I found that Apple did not include LDAP as a dictionary type. Here are the types that are supported in my build. postconf -m btree cidr environ hash pcre proxy regexp static unix I guess I don't understand how SASL is checking OD for User Name and Password but can't check to verify the local sender's email address in OD. If it is not possible to access the OD data, can someone please explain, in very easy to understand terms and with examples, how to implement this feature in the "main.cf" file using a hash file listing every User Name and Email address? So far, I have tried these items with no success: smtp_sender_dependent_authentication = yes smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_sender_login_mismatch, reject_authenticated_sender_login_mismatch, reject_unauthenticated_sender_login_mismatch, reject
From: Andrew G. Grant on 15 Jun 2010 18:29 Thank you. I will give that a try. Can anyone answer the question about how SASL is able to authenticate Users with their Passwords stored in Open Directory, but not pull their Email addresses? On Jun 15, 2010, at 3:14 PM, Jerrale Gayle wrote: On 6/15/2010 12:33 PM, Andrew G. Grant wrote: > > Hello, > > I have configured the default install of Postfix (version 2.5.5) on Apple OS X Server 10.6.3 (Darwin 10.3.0). Everything seems to run very well with the exception that once authenticated, a user can claim to be any valid email address on my network. > > I currently require SASL Authentication for all senders and the system is referencing the User Name and Password stored within Open Directory. > > I now have a desire to restrict senders to their email addresses listed within Open Directory. I want to make sure that the email address listed in OD is the only sending address a user can use based upon their SASL credentials. > > I tried to reference LDAP using , "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-aliases.cf" but I found that Apple did not include LDAP as a dictionary type. Here are the types that are supported in my build. > > postconf -m > btree > cidr > environ > hash > pcre > proxy > regexp > static > unix > > I guess I don't understand how SASL is checking OD for User Name and Password but can't check to verify the local sender's email address in OD. > > If it is not possible to access the OD data, can someone please explain, in very easy to understand terms and with examples, how to implement this feature in the "main.cf" file using a hash file listing every User Name and Email address? > > So far, I have tried these items with no success: > smtp_sender_dependent_authentication = yes > > smtpd_sender_restrictions = > permit_sasl_authenticated, > reject_non_fqdn_sender, > reject_sender_login_mismatch, > reject_authenticated_sender_login_mismatch, > reject_unauthenticated_sender_login_mismatch, > reject You need to setup smtpd_sender_login_maps AND put reject_sender_login_mismatch under smtpd_sender_restrictions, BEFORE permit_sasl_authenticated in smtpd_sender_restrictions
From: Charles Marcus on 16 Jun 2010 06:49 On 2010-06-15 6:29 PM, Andrew G. Grant wrote: > Can anyone answer the question about how SASL is able to > authenticate Users with their Passwords stored in Open Directory, but > not pull their Email addresses? What do you mean by 'pull their email addresses'? If you mean that you have assigned multiple email addresses for each user in some attribute in OD, and you want 'sender_login_mismatch' to only allow the user to send if they are sending from one of these multiple email addresses, I'm not sure how you would do that, but I'm trying to more precisely define what it is you are trying to do... -- Best regards, Charles
From: "Andrew G. Grant" on 16 Jun 2010 10:56 Charles, Just for clarification, and remember, I am very new at all of this. Postfix is requiring SASL Authentication. I have not listed any user names or passwords anywhere except in Apple Open Directory as User "Short Names" for use with login to network resources. Postfix seems to reference these user "Short Names" in OD and the user's password, also from within OD, when performing SASL Authentication. These same user "Short Names" are also seen as valid Email addresses at my domain when receiving email. This information is not listed anywhere else in my configuration. For that reason, I am asking if Postfix can't also see the User "Short Names" as Email addresses when performing "reject_sender_login_mismatch" under "smtpd_sender_restrictions". My whole goal is to avoid creating and updating another separate list of Email Addresses and User Names for "smtpd_sender_login_maps". On Jun 16, 2010, at 3:49 AM, Charles Marcus wrote: On 2010-06-15 6:29 PM, Andrew G. Grant wrote: > Can anyone answer the question about how SASL is able to > authenticate Users with their Passwords stored in Open Directory, but > not pull their Email addresses? What do you mean by 'pull their email addresses'? If you mean that you have assigned multiple email addresses for each user in some attribute in OD, and you want 'sender_login_mismatch' to only allow the user to send if they are sending from one of these multiple email addresses, I'm not sure how you would do that, but I'm trying to more precisely define what it is you are trying to do... -- Best regards, Charles
From: Jose Ildefonso Camargo Tolosa on 17 Jun 2010 00:17
Greetings, What are you using for SASL authentication, in my case, I'm using dovecot, which in turn uses pam, which in turn uses LDAP. And then use: smtpd_sender_login_maps = ldap:/etc/postfix/sender_login.cf and permit_sasl_authenticated on smtpd_recipient_restrictions and reject_sender_login_mismatch on smtpd_sender_restrictions. For SASL: smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth Off course, my postfix *does* support ldap. I'm using Debian Lenny. If you are configuring a server, you should really try Debian or Ubuntu Server, your live will be really simpler. I hope this helps, Ildefonso Camargo On Wed, Jun 16, 2010 at 10:26 AM, Andrew G. Grant <andrew.grant(a)caddock.com> wrote: > Charles, > > Just for clarification, and remember, I am very new at all of this. > > Postfix is requiring SASL Authentication. I have not listed any user names or passwords > anywhere except in Apple Open Directory as User "Short Names" for use with login > to network resources. > > Postfix seems to reference these user "Short Names" in OD and the user's > password, also from within OD, when performing SASL Authentication. > > These same user "Short Names" are also seen as valid Email addresses > at my domain when receiving email. > > This information is not listed anywhere else in my configuration. For that > reason, I am asking if Postfix can't also see the User "Short Names" as > Email addresses when performing "reject_sender_login_mismatch" under > "smtpd_sender_restrictions". > > My whole goal is to avoid creating and updating another separate list of > Email Addresses and User Names for "smtpd_sender_login_maps". > > > On Jun 16, 2010, at 3:49 AM, Charles Marcus wrote: > > On 2010-06-15 6:29 PM, Andrew G. Grant wrote: >> Can anyone answer the question about how SASL is able to >> authenticate Users with their Passwords stored in Open Directory, but >> not pull their Email addresses? > > What do you mean by 'pull their email addresses'? > > If you mean that you have assigned multiple email addresses for each > user in some attribute in OD, and you want 'sender_login_mismatch' to > only allow the user to send if they are sending from one of these > multiple email addresses, I'm not sure how you would do that, but I'm > trying to more precisely define what it is you are trying to do... > > -- > > Best regards, > > Charles > > |