I did review the
http://www.postfix.org/postconf.5.html#authorized_submit_users page and
it mentions that patterns can be negated, here are the relevant strings
of the docs I thought applicable to this case.
Specify a list of user names, "/file/name" or "type:table" patterns ...
Specify "!pattern" to exclude a user name from the list.
The form "!/file/name" is supported only in Postfix version 2.4 and
later.
If patterns aren't supported, thank you for setting me straight, I was
just hoping to avoid building a script to regularly re/create the nosend
file. Should I submit a bug report for a documentation change to make
this point more clearly?
As for the "authorized_submit_users=!unix:group.byname=badUnixGroup"
syntax, I found an OLD example in a mailing list, not the manpage-docs,
I was trying to show what I was attempting.
There are no 'untrusted' users, but in this case we need this
functionality for software-testing accounts which has in the past
repeatedly spammed a large group of people when 3rd-party utilities that
call mutt/sendmail/etc when certain error conditions occurred. We
thought about disabling Postfix entirely for all users, but in this
case, we would miss out on other more necessary alerts from other
users/utilities on that box.
On 5/30/2012 7:24 PM, /dev/rob0 wrote:
On Wed, May 30, 2012 at 05:05:16PM -0400, JLP wrote:
Originally, I was trying to make "smtpd_sender_restrictions"
work, but Noel Jones (thanks again!) clued-me into the
config-option "authorized_submit_users" when using the sendmail
(or derivative) binaries. I tried unsuccessfully making some
form of unix:group.byname work like these options:
authorized_submit_users=!unix:group.byname, static:all
authorized_submit_users=!unix:group.byname=badUnixGroup, static:all
Short of creating a cronjob-script to regularly re/create a HASH
file of disallowed users in the Unix group, is there something
obvious I am missing?
You missed the postconf(5) manual, specifically the description of
authorized_submit_users. Negation can apply to a /file/name but not
to a type:table lookup.
http://www.postfix.org/postconf.5.html#authorized_submit_users
You'll want to make your list, e.g., /etc/postfix/nosend, and then
negate the list:
authorized_submit_users=!/etc/postfix/nosend, static:all
Two bits of general advice:
You might want to save a link in your browser to your
$html_directory. Everything is in there; no need to guess. I don't
see any reference to your "unix:group.byname=badUnixGroup" syntax,
therefore I'd assume that it is not implemented.
Having untrusted shell users on a machine is a bad idea. If you
cannot trust them to honor your mail policies, can you trust them to
refrain from other nefarious activities?
