How to force SMTP AUTH to restrict Sender Addresses?
in [Postfix]
|
From: Victor Duchovni on 15 Jun 2010 13:47 On Tue, Jun 15, 2010 at 09:33:12AM -0700, Andrew G. Grant wrote: > Hello, > > I have configured the default install of Postfix (version 2.5.5) on > Apple OS X Server 10.6.3 (Darwin 10.3.0). Everything seems to run very > well with the exception that once authenticated, a user can claim to be > any valid email address on my network. This is default behaviour. > I now have a desire to restrict senders to their email addresses listed > within Open Directory. I want to make sure that the email address listed > in OD is the only sending address a user can use based upon their SASL > credentials. > > I tried to reference LDAP using , "smtpd_sender_login_maps = > ldap:/etc/postfix/ldap-aliases.cf" but I found that Apple did not include > LDAP as a dictionary type. Here are the types that are supported in > my build. > > postconf -m > btree > cidr > environ > hash > pcre > proxy > regexp > static > unix That's unfortunate. > So far, I have tried these items with no success: > smtp_sender_dependent_authentication = yes Irrelevant. This is used when sending mail, not when receiving mail. Turn this off. > > smtpd_sender_restrictions = > permit_sasl_authenticated, Too late, at this point the SASL authenticated users are in The restrictions on sender address go *above* this. > reject_non_fqdn_sender, > reject_sender_login_mismatch, > reject_authenticated_sender_login_mismatch, > reject_unauthenticated_sender_login_mismatch, > reject # Not an MX host, authenticated senders only: # smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, permit_sasl_authenticated, reject -- Viktor.
From: "Andrew G. Grant" on 15 Jun 2010 14:32 Thank you Viktor. That does in fact stop the email if there is a mismatch. However, now I cannot send anything as it tells me that I don't own the email address I am trying to send to. Can you tell me what it is checking to verify that the User Name belongs to the Email address the user is sending from? My sender restrictions look like this: smtpd_sender_restrictions = # reject_sender_login_mismatch, reject_authenticated_sender_login_mismatch, # reject_unauthenticated_sender_login_mismatch, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit I am currently getting this error in my SMTP logs: Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: connect from andrew-grant.mydomain.com[10.1.2.166] Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: NOQUEUE: reject: RCPT from andrew-grant.mydomain.com[10.1.2.166]: 553 5.7.1 <andrewgrant(a)mail.mydomain.com>: Sender address rejected: not owned by user andrewgrant; from=<andrewgrant(a)mail.mydomain.com> to=<andrewgrant(a)mail.mydomain.com> proto=ESMTP helo=<andrew-grant.mydomain.com> Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: disconnect from andrew-grant.mydomain.com[10.1.2.166] Any thoughts as to what I should look at to verify that my User Name really does belong to my Email address? On Jun 15, 2010, at 10:47 AM, Victor Duchovni wrote: On Tue, Jun 15, 2010 at 09:33:12AM -0700, Andrew G. Grant wrote: > Hello, > > I have configured the default install of Postfix (version 2.5.5) on > Apple OS X Server 10.6.3 (Darwin 10.3.0). Everything seems to run very > well with the exception that once authenticated, a user can claim to be > any valid email address on my network. This is default behaviour. > I now have a desire to restrict senders to their email addresses listed > within Open Directory. I want to make sure that the email address listed > in OD is the only sending address a user can use based upon their SASL > credentials. > > I tried to reference LDAP using , "smtpd_sender_login_maps = > ldap:/etc/postfix/ldap-aliases.cf" but I found that Apple did not include > LDAP as a dictionary type. Here are the types that are supported in > my build. > > postconf -m > btree > cidr > environ > hash > pcre > proxy > regexp > static > unix That's unfortunate. > So far, I have tried these items with no success: > smtp_sender_dependent_authentication = yes Irrelevant. This is used when sending mail, not when receiving mail. Turn this off. > > smtpd_sender_restrictions = > permit_sasl_authenticated, Too late, at this point the SASL authenticated users are in The restrictions on sender address go *above* this. > reject_non_fqdn_sender, > reject_sender_login_mismatch, > reject_authenticated_sender_login_mismatch, > reject_unauthenticated_sender_login_mismatch, > reject # Not an MX host, authenticated senders only: # smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, permit_sasl_authenticated, reject -- Viktor.
From: Victor Duchovni on 15 Jun 2010 15:40 On Tue, Jun 15, 2010 at 11:32:07AM -0700, Andrew G. Grant wrote: > Thank you Viktor. That does in fact stop the email if there is a mismatch. > However, now I cannot send anything as it tells me that I don't own the > email address I am trying to send to. > > Can you tell me what it is checking to verify that the User Name > belongs to the Email address the user is sending from? > > My sender restrictions look like this: > smtpd_sender_restrictions = > # reject_sender_login_mismatch, > reject_authenticated_sender_login_mismatch, > # reject_unauthenticated_sender_login_mismatch, > permit_sasl_authenticated, > reject_non_fqdn_sender, > reject_unknown_sender_domain, > permit > > I am currently getting this error in my SMTP logs: > > Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: connect from andrew-grant.mydomain.com[10.1.2.166] > Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: NOQUEUE: reject: RCPT from andrew-grant.mydomain.com[10.1.2.166]: 553 5.7.1 <andrewgrant(a)mail.mydomain.com>: Sender address rejected: not owned by user andrewgrant; from=<andrewgrant(a)mail.mydomain.com> to=<andrewgrant(a)mail.mydomain.com> proto=ESMTP helo=<andrew-grant.mydomain.com> > Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: disconnect from andrew-grant.mydomain.com[10.1.2.166] > > Any thoughts as to what I should look at to verify that my User Name really does belong to my Email address? You need correct mappings in smtpd_sender_login_maps, mapping each sender address to the correct SASL login. -- Viktor.
From: "Andrew G. Grant" on 15 Jun 2010 16:55 Viktor, You said: "You need correct mappings in smtpd_sender_login_maps, mapping each sender address to the correct SASL login." Does that mean that Postfix will not pull the User Name and Email address from the Open Directory? I had assumed that it was already pulling the User Name / Password for SASL from Open Directory. Is there no way to also access the Email address in OD or use the User Name from the SASL authentication as the left portion of the email address? For example, my user name is, "andrewgrant" and my email is, "andrewgrant(a)mydomain.com". Is there no way to avoid creating another hash file with every User Name and Email address inside? On Jun 15, 2010, at 12:40 PM, Victor Duchovni wrote: On Tue, Jun 15, 2010 at 11:32:07AM -0700, Andrew G. Grant wrote: > Thank you Viktor. That does in fact stop the email if there is a mismatch. > However, now I cannot send anything as it tells me that I don't own the > email address I am trying to send to. > > Can you tell me what it is checking to verify that the User Name > belongs to the Email address the user is sending from? > > My sender restrictions look like this: > smtpd_sender_restrictions = > # reject_sender_login_mismatch, > reject_authenticated_sender_login_mismatch, > # reject_unauthenticated_sender_login_mismatch, > permit_sasl_authenticated, > reject_non_fqdn_sender, > reject_unknown_sender_domain, > permit > > I am currently getting this error in my SMTP logs: > > Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: connect from andrew-grant.mydomain.com[10.1.2.166] > Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: NOQUEUE: reject: RCPT from andrew-grant.mydomain.com[10.1.2.166]: 553 5.7.1 <andrewgrant(a)mail.mydomain.com>: Sender address rejected: not owned by user andrewgrant; from=<andrewgrant(a)mail.mydomain.com> to=<andrewgrant(a)mail.mydomain.com> proto=ESMTP helo=<andrew-grant.mydomain.com> > Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: disconnect from andrew-grant.mydomain.com[10.1.2.166] > > Any thoughts as to what I should look at to verify that my User Name really does belong to my Email address? You need correct mappings in smtpd_sender_login_maps, mapping each sender address to the correct SASL login. -- Viktor.
From: "Andrew G. Grant" on 17 Jun 2010 13:21 Thank you Victor for giving me that wonderfully concise answer. On Jun 17, 2010, at 9:53 AM, Victor Duchovni wrote: On Thu, Jun 17, 2010 at 07:30:44AM -0700, Andrew G. Grant wrote: > Jose, > > Unfortunately, looking at another server OS doesn't help me to find the > answer to this question. But thank you for the suggestion. > > I am still trying to find out how Apple OS X Server 10.6.3 > (Darwin Kernel Version 10.3.0), running Postfix 2.5.5, Amavisd, > ClamAV, SpamAssassin, Dovecot, and Squirrel Mail can have > SASL access Open Directory's LDAP when Postfix isn't compiled > on my system to use LDAP library types? > > This all revolves around finding a way to use: > reject_sender_login_mismatch on smtpd_sender_restrictions > without having to keep a separate smtpd_sender_login_maps > hash file updated. You need LDAP support in Postfix. There is no work-around that does not involve copying data out of LDAP if LDAP is not accessible. SASL alone cannot provide the RFC 822 sender address <---> SASL authentication name correspondence, SASL never sees the sender address, only the user login name and associated credentials. > Currently, I believe SASL is using Open Directory to reference > User Name and Password information for SASL to work, as I haven't > duplicated this information anywhere. > > Since my Postfix is not compiled to use LDAP, how is SASL accessing > Open Directory information? The SASL library uses LDAP, but Postfix itself is not configured to use LDAP. > > If SASL can access Open Directory, why can't Postfix access Open Directory > to lookup smtpd_sender_login_maps? Because that code is not compiled into the Postfix binaries in question. -- Viktor.
|
Next
|
Last
Pages: 1 2 Prev: postscreen doesn't seem to work anymore Next: Does postfix smtp always log every receipient? |