Re: [Dovecot] deny=yes in userdb

2010-02-03 Thread Steffen Kaiser 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 2 Feb 2010, Edgar Fuß wrote:


Yes, I should rather reject them right in the MTA, but that currently takes too 
long to implement. Or how to reject gast* in postfix using nss authentication?


http://ixquick.com/do/metasearch.pl?query=postfix+access+map+reject

http://www.securityfocus.com/infocus/1598

"Recipient Restrictions
 Our last restriction is based on the message recipient (again, the 
address listed in the 'RCPT TO' SMTP dialog, not the 'To:' address). The 
recipient restrictions are similar to the sender restrictions, namely 
reject_known_recipient_domain, reject_non_fqdn_recipient, and 
check_recipient_access, and they work in the same manner. Thus, you could 
include the following options in addition to any you already have:

smtpd_recipient_restriction = (other restrictions here)
check_recipient_access maptype:mapname,
reject_non_fqdn_recipient, reject_unknown_recipient_domain
"

http://www.postfix.org/access.5.html

or alias the GAST-accounts to something non-existing, e.g.

gast01: "|exit 67"

http://www.postfix.org/aliases.5.html

Regards,

- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBS2l0Dr+Vh58GPL/cAQKYBQgAg8q8lVzTIH3Hx49Ta9qXpx1o+epvBxdf
tIqhfkIG1NHny6IyuExFy4rHctSiTq2/yMzXKmYLYnZGdn1NRqO4mje9HNhNcL5i
t6ZLun+4iv0oWI4FVLkyykca87huSf4xqFJhUAHp5chiqc+o1zadpkRCAf5dWODv
2fcpkF9EUfVcw525JE2ooS/oNEWGZQacVu6RasyUUVf0rayMeWJ3Cr0Niq51rtAq
2uw/FUnc0tz+TYjbV3jKS+qx/kKOupBuM2np9x3ByGwUno+0s9DKBQ2AGbD8WcOK
4AinB8xGKKltpbM35zxxZPMgLDDtkuvJgjggfE9jmdebws8/SCzixw==
=tjYe
-END PGP SIGNATURE-

Re: [Dovecot] deny=yes in userdb

2010-02-02 Thread Frank Cusack 
On February 2, 2010 10:05:47 PM +0100 Edgar Fuß  
wrote:

 nss authentication?


BTW, you misspoke.  nss doesn't authenticate.

Re: [Dovecot] deny=yes in userdb

2010-02-02 Thread Frank Cusack 
On February 2, 2010 10:05:47 PM +0100 Edgar Fuß  
wrote:

I would like deliver to reject certain users.
Since supposedly deliver only uses userdb, not passwd, I can't use
deny=yes for that. Or does userdb support deny=yes?


According to the docs, it doesn't.  So you'd have to remove them from
the userdb.  You didn't say what type of userdb you are using so
hard to say how hard that would be.


Yes, I should rather reject them right in the MTA, but that currently
takes too long to implement. Or how to reject gast* in postfix using nss
authentication?


That depends on the system you are using (different nss support in
different systems) and what the nss backend is.  But, if you are using
nss_ldap, it might allow you to construct a search filter to exclude
those users.  Or you might put an ACL on your LDAP server to not
return the entries for those users to your MTA (or perhaps to anyone).

-frank

[Dovecot] deny=yes in userdb

2010-02-02 Thread Edgar Fuß 
I would like deliver to reject certain users.
Since supposedly deliver only uses userdb, not passwd, I can't use deny=yes for 
that. Or does userdb support deny=yes?

Yes, I should rather reject them right in the MTA, but that currently takes too 
long to implement. Or how to reject gast* in postfix using nss authentication?