The rule is still a good idea to have even if you have a rule to reject a sasl mismatch, because the suggested rule also rejects mail which have a spoofed local sender destined for a local mailbox. Something that none of the standard rules can enforce.
-----Ursprungligt meddelande----- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För Pascal Maes Skickat: den 14 mars 2016 12:50 Till: postfix-users@postfix.org Ämne: Re: MAIL FROM validiity > Le 12 mars 2016 à 17:28, @lbutlr <krem...@kreme.com> a écrit : > > On Mar 10, 2016, at 10:14 AM, Sebastian Nielsen <sebast...@sebbe.eu> wrote: >> Create a file containing the following (where yourdomain.com is the >> domain your authenticated users send from): >> >> yourdomain.com: permit_sasl_authenticated, reject >> >> postmap the file. >> >> Then use: >> smtpd_recipient_restrictions = >> ... >> check_sender_access hash:/path/to/file >> ... >> >> Note that permit_sasl_authenticated is removed from the recipient >> restrictions, because that is handled by check_sender_access. >> >> This will give two-fold security: >> Anyone that is authenticated, MUST use your domain to take advantage >> of authentication. Eg, if they send a mail from lets say >> some...@someotherdomain.com it will be "relay rejected" even if they >> authenticate. >> >> Also, the second "reject" in the map file, will force-reject anyone >> that attempts to use "yourdomain.com" as sender without >> authentication, causes everyone who tries to send a mail with your >> domain as sender, into a local mailbox, example: >> >> MAIL FROM: ad...@yourdomain.com >> RCPT TO: vic...@yourdomain.com >> >> That sender will then be rejected with the reason that the sender >> address is invalid, UNLESS they authenticate before. > > Ay comments on the advisability and utility of this method? At first blush it > seems a bit too good to be true. > > What’s the catch? > Well, perhaps it's working fine but it's not what I want. I would like that everybody who is sending mail from outside our network and identified with sasl uses the email address corresponding to the uid. The mail should be rejected if the uid and the email address do not match. -- Pascal
smime.p7s
Description: S/MIME Cryptographic Signature
