On Thu, Nov 17, 2022 at 12:56:47PM -0600, Bryan K. Walton wrote: > I would like to enforce a match between the "From" address and a sasl > authenticated username, but I would like to only enforce this for a > single sasl username.
Note that all access(5) restrictions in smtpd(8) apply to the message *envelope* not to message headers. The RFC5322.From address can only be constrained to match SASL authenticated accounts in milters or content filters. Nothing built into Postfix restricts the use of header addresses by authenticated submission users. > In my postfix main.cf, I have the following: > > smtpd_sender_restrictions = > <other restrictions> > reject_authenticated_sender_login_mismatch, > <other restrictions> > > smtpd_sender_login_maps = > hash:/etc/postfix/restricted_senders > > In /etc/postfix/restricted_sender, I have the following: > [email protected] jdoe > > This works, for this user. However, it breaks sending for all of my > other sasl authenticated users, unless I also put their info into > /etc/postfix/restricted_sender > > Is there a way to make this restriction *only* apply to the username > present in that file? Yes: https://www.postfix.org/postconf.5.html#check_sasl_access Presumably SASL is only offered on ports 465 and 587, and not on port 25, so "smtpd_sender_restrictions" is replaced with "mua_sender_restrictions" with appropriate overrides in master.cf: default_database_type = hash indexed = ${default_database_type}:${config_directory}/ mua_client_restrictions = permit_sasl_authenticated, reject mua_sender_restrictions = # If more than a few users, consider an indexed table check_sasl_access inline:{{jdoe = reject_sender_login_mismatch}}, check_sender_access pipemap:{ ${indexed}restricted_senders, static:reject_sender_logic_mismatch } -- Viktor.
