Use: smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
in controlled_envelope_senders, specify like: @domain.tld useraccount, useraccount2, useraccount3 Or: n...@domain.tld useraccount, useraccount4 The first one allows the listed accounts to send from any user of that domain.tld. The second one is a strict one where you list all useraccounts authorized for that specific adress. Then you use, before permit_sasl_authenticated: reject_sender_login_mismatch Note that you need to postmap the file controlled_envelope_senders When it comes to countries, you as a administrator must not be scared of enforcing limitations. Sometimes its neccessary to say "If you travel, and you want to send mail, you have to set up a VPN to your home computer, simple as that". Sometimes problems must be solved the "hard way", especially with all these spambots and malware stealing and guessing submission accounts for the purpose of sending spam. Best regards, Sebastian Nielsen -----Ursprungligt meddelande----- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För Voytek Skickat: den 6 juni 2016 15:21 Till: postfix-users@postfix.org Ämne: Re: SV: poor repution work arounds? standby smtp? On Mon, June 6, 2016 10:10 pm, Sebastian Nielsen wrote: Sebastian, thanks > Second, the problem is that you will only get your backup server > blacklisted/poorreputated aswell. I would suggest solving the > underlying problem instead, so accounts is harder to compromise, by > implementing a few restrictions: the last two issues I had were caused by single compromised sasl auth senders; all users are remote to server, and, since last couple years were offered smtp auth (instead of using local isp smtp) > > Theres multiple ways to solve the problem. > 1: If your users belong to a specific office, I would suggest > restricting sending email from that office. If some users must have > remote access, give such access via a VPN instead. A spammer won't > connect to a dialin VPN using compromised credentials and try to find > a mailserver there and find compromised credentials to that too, its > too much trouble for too little gain. > 2: If you run a webhosting company or something similiar, restrict > logins to the mail server via geoIP to the same country as the account > in question was bought and registred from. The country (for example > Sweden) they buy and register the account from, will be saved into a > db. When a mail is sent through submission server, check that the > country they are connecting from, match whatever is stored for their > account inside database. This will avoid account compromise as the > accounts can only be used in their "home countries". some users travel, so can be different country > 3: Needless to say, > its a good idea to restrict so the accounts can only send from their > own email and the domain they either own or the domain your server is > authorative for. how to implement such ? there is around 20 domains on the server
smime.p7s
Description: S/MIME Cryptographic Signature
