On 10/13/2014 6:54 PM, Ben Johnson wrote: > Hello! > > Is it possible to require authentication based on specific properties of > an MUA or its connection? > > I would like to require all connections that originate from the php-fpm > daemon (or its children) on the server in question to be forced to > authenticate when sending mail through Postfix. > > At the same time, I need for messages from other sources (cron scripts, > system maintenance utilities, etc.) to be sent as normal, without > requiring authentication.
This is usually done by controlling the authorized_submit_users postfix option. http://www.postfix.org/postconf.5.html#authorized_submit_users However, all your web scripts are probably submitting as the www or similar user. > > In short, I have a pesky PHP script somewhere, under a customer's hosted > account, that is sending outgoing spam messages. The script appears not > to be using PHP's mail() function, and may instead be speaking to > Postfix directly, which renders PHP's mail-related logging functions > irrelevant and useless, and makes the source much more difficult to trace. > > The Postfix and amavis-new logs are not terribly useful in this context > (at least at the default verbosity) because all they reveal is that the > messages are coming from localhost. The port number is listed, too, but > I don't know if that reveals anything useful. > amavisd-new doesn't enter into this, as the mail enters via postfix. Likely there is a postfix/pickup line where the mail first enters the queue, which will show the user ID being used (likely just "www", and not particularly helpful). There are probably better clues in your web logs. > If there is a better way to deal with this nuisance than resorting to > stricter authentication protocols, I would love to hear alternate > suggestions. Probably disable the sendmail command for the www user (via authorized_submit_users), and require each user to connect to a specific IP:port that requires SMTP AUTH, each customer with their own credentials. At least that way you know who's account is compromised. But setting this up will be disruptive to current customers. Not fun. Good luck. -- Noel Jones
