> Le 12 mars 2016 à 17:28, @lbutlr <krem...@kreme.com> a écrit : > > On Mar 10, 2016, at 10:14 AM, Sebastian Nielsen <sebast...@sebbe.eu> wrote: >> Create a file containing the following (where yourdomain.com is the domain >> your authenticated users send from): >> >> yourdomain.com: permit_sasl_authenticated, reject >> >> postmap the file. >> >> Then use: >> smtpd_recipient_restrictions = >> ... >> check_sender_access hash:/path/to/file >> ... >> >> Note that permit_sasl_authenticated is removed from the recipient >> restrictions, because that is handled by check_sender_access. >> >> This will give two-fold security: >> Anyone that is authenticated, MUST use your domain to take advantage of >> authentication. Eg, if they send a mail from lets say >> some...@someotherdomain.com it will be "relay rejected" even if they >> authenticate. >> >> Also, the second "reject" in the map file, will force-reject anyone that >> attempts to use "yourdomain.com" as sender without authentication, causes >> everyone who tries to send a mail with your domain as sender, into a local >> mailbox, example: >> >> MAIL FROM: ad...@yourdomain.com >> RCPT TO: vic...@yourdomain.com >> >> That sender will then be rejected with the reason that the sender address is >> invalid, UNLESS they authenticate before. > > Ay comments on the advisability and utility of this method? At first blush it > seems a bit too good to be true. > > What’s the catch? >
Well, perhaps it's working fine but it's not what I want. I would like that everybody who is sending mail from outside our network and identified with sasl uses the email address corresponding to the uid. The mail should be rejected if the uid and the email address do not match. -- Pascal
