Re: smtpd_sender_login_maps for only one sasl authenticated user?

Fri, 18 Nov 2022 14:27:26 -0800 

On Fri, Nov 18, 2022 at 06:22:37PM +0100, Matus UHLAR - fantomas wrote:
> On 17.11.22 12:56, Bryan K. Walton wrote:
> >I would like to enforce a match between the "From" address and a sasl
> >authenticated username, but I would like to only enforce this for a
> >single sasl username.
> >
> >In my postfix main.cf, I have the following:
> >
> >smtpd_sender_restrictions =
> >     <other restrictions>
> >     reject_authenticated_sender_login_mismatch,
> >     <other restrictions>
> >
> >smtpd_sender_login_maps =
> >     hash:/etc/postfix/restricted_senders
> >
> >In /etc/postfix/restricted_sender, I have the following:
> >[email protected]  jdoe
> 
> this restricts using addresses [email protected] by other users, it doesn't
> prevent user jdoe from using other addresses.

Actually, it does, when "reject_sender_login_mismatch" is used.  The
restriction requires the authenticated login to use a sender address
they explicitly own, and restricts listed addresses to use by
authenticated users.

    https://www.postfix.org/postconf.5.html#reject_sender_login_mismatch

    reject_sender_login_mismatch
        As of Postfix 2.1, this is an alias for
        "reject_authenticated_sender_login_mismatch,
        reject_unauthenticated_sender_login_mismatch".

    
https://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch

    reject_authenticated_sender_login_mismatch
        Reject the request when the client is authenticated with SASL,
        but either the MAIL FROM address is not listed in
        $smtpd_sender_login_maps, or the SASL login name is not an owner
        for that address.  This prevents an authenticated client from
        using a MAIL FROM address that they do not explicitly own.  This
        feature is available in Postfix version 2.1 and later. 

    
https://www.postfix.org/postconf.5.html#reject_unauthenticated_sender_login_mismatch

    reject_unauthenticated_sender_login_mismatch
        Reject the request when SASL is enabled, the MAIL FROM address
        is listed in $smtpd_sender_login_maps, but the client is not
        authenticated with SASL.  With SASL enabled, this prevents an
        unauthenticated client from using any MAIL FROM address that is
        listed in $smtpd_sender_login_maps.  This feature is available
        in Postfix version 2.1 and later.

-- 
    Viktor.

Reply via email to