reject_authenticated_sender_login_mismatch

[Michael]

As follows

smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
check_recipient_access hash:/etc/postfix/access,
permit_mynetworks,
reject_authenticated_sender_login_mismatch 
mysql:/etc/postfix/mysql-sender-access.cf
reject_unauth_destination

mysql-sender-access.cf

hosts = localhost
user = USER
password = PASS
dbname = system

query = SELECT username FROM mailboxes WHERE email='%s' AND active='1'

The error returned is:

RECEIVER ADDRESS (The server responded: "5.7.1 : Sender 
address rejected: not owned by user SASL USER")

What;s going on? Running the query directly against the SQL database returns 
the desired result.

About reject_authenticated_sender_login_mismatch

[Jeff Huang]

Hi All.

I want to restrict the smtpd with reject_authenticated_sender_login_mismatch 
when the sasl login name and the sender mismatch.

So I need to set a lookup tables for the smtpd_sender_login_maps.

But I only want to check if the login name and the user that the first part of 
the sender(u...@domain) is the same.

For example,I allow the user who's id is uid to send the mail from u...@domain.

Can I set a simple lookup tables or other way to implement it?


Thanks and happy new year.




Jeff

Re: reject_authenticated_sender_login_mismatch

[Barney Desmond]

2010/1/11 Michael :
> As follows
>
> smtpd_recipient_restrictions =
> ...
>        check_recipient_access hash:/etc/postfix/access,
>        permit_mynetworks,
>    reject_authenticated_sender_login_mismatch
> mysql:/etc/postfix/mysql-sender-access.cf
>        reject_unauth_destination
> ...
> RECEIVER ADDRESS (The server responded: "5.7.1 : Sender
> address rejected: not owned by user SASL USER")
>
> What;s going on? Running the query directly against the SQL database returns
> the desired result.

I've not used this function before myself, but my reading of the docs
indicates you might've misinterpreted the correct usage.

I hopped through these three in order:
http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch
http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

You haven't posted the output of `postconf -n`, so I don't know if
your settings are correct, but I suspect you're needing something
like:

smtpd_recipient_restrictions =
   reject_invalid_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_unauth_pipelining,
   check_recipient_access hash:/etc/postfix/access,
   permit_mynetworks,
   reject_authenticated_sender_login_mismatch,
   reject_unauth_destination

smtpd_sender_login_maps = mysql:/etc/postfix/mysql-sender-access.cf

reject_authenticated_sender_login_mismatch doesn't take a type:table
mapping, it just makes use of one defined elsewhere.

Re: reject_authenticated_sender_login_mismatch

[mouss]

Michael a écrit :
> As follows
> 
> smtpd_recipient_restrictions =
> reject_invalid_hostname,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_unauth_pipelining,

useless. RCPT TO is an "asynchronous" command, so there is no
"unauth_pipelining" at this stage. read the pipelining RFC for more.

> check_recipient_access hash:/etc/postfix/access,

Avoid check_foo_access before reject_unauth_destination. an error will
make you an open relay. what are you tryng to do with that?

> permit_mynetworks,
> reject_authenticated_sender_login_mismatch 
> mysql:/etc/postfix/mysql-sender-access.cf

As Barney pointed out, errax syntor (syntax error).

you want something like:

smtpd_sender_login_maps = mysql:/etc/postfix/mysql-sender-access.cf
smtpd_sender_restrictions =
reject_authenticated_sender_login_mismatch

(there's no point polluting smtpd_recipient_restrictions with this).


PS. next time, show output of 'postconf -n' instead of personally
selected main.cf snippets.

> [snip]

reject_authenticated_sender_login_mismatch issue

[Anton Raytsin]

Hello.

I'd like to force users to send only e-mails with valid MAIL FROM and 
also From: header. I have found out a way to check MAIL FROM and SASL 
login and configured my main.cf like this:


smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = mail.mydomain.com
myorigin = mydomain.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
message_size_limit = 104857600
recipient_delimiter = +
inet_interfaces = all
anvil_rate_time_unit=60s
smtpd_client_message_rate_limit=20
header_checks=regexp:/etc/postfix/header_checks
smtpd_helo_restrictions=permit_sasl_authenticated,check_helo_access 
hash:/etc/postfix/hello_access

smtp_sender_login_maps = mysql:$config_directory/mysql_login_maps.cf
virtual_mailbox_domains = 
proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf

virtual_mailbox_base = /var/vmail
virtual_mailbox_maps = 
proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_alias_maps = 
proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf

virtual_minimum_uid = 150
virtual_uid_maps = static:150
virtual_gid_maps = static:8
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch,permit_sasl_authenticated,check_sender_access 
regexp:/etc/postfix/sender_access,reject_non_fqdn_sender,reject_unknown_sender_domain,permit
smtpd_recipient_restrictions=reject_unauth_pipelining,permit_sasl_authenticated,permit_mynetworks,reject_invalid_hostname,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unlisted_recipient,reject_unauth_destination,reject_rbl_client 
bl.spamcop.net,permit


mysql_login_maps.cf:
user = user
password = password
hosts = localhost
dbname = mail
table = mailbox
select_field = username
where_field = username
additional_conditions = AND active='1'

But when I send any email from authenticated user, I receive error:

5.7.1 : Sender address rejected: not owned by user 
u...@mydomain.com.


How to fix it?

Re: About reject_authenticated_sender_login_mismatch

[Victor Duchovni]

On Thu, Dec 31, 2009 at 03:41:56PM +0800, Jeff Huang wrote:

> I want to restrict the smtpd with
> reject_authenticated_sender_login_mismatch when the sasl login name and
> the sender mismatch.
> 
> So I need to set a lookup tables for the smtpd_sender_login_maps.
> 
> But I only want to check if the login name and the user that the first
> part of the sender(u...@domain) is the same.

main.cf:
smtpd_sender_login_maps = pcre:${config_directory}/sender_login.pcre

sender_login.pcre:
/^(.*)@example\.com$/   $1

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

reject_authenticated_sender_login_mismatch vs reject_sender_login_mismatch

[Simon Brereton]

Hi

I was evaluating my smptd_recipient_restrictions last week and decided that it 
made no sense to have reject_sender_login_mismatch after 
permit_sasl_authenticated.  So I changed it.  At the time I was reviewing the 
documentation I wasn't able to figure out the difference between 
reject_authenticated_sender_login_mismatch and reject_sender_login_mismatch.

Since then I have a few items in the logs like:

Oct 30 17:59:40 mail postfix/smtpd[21281]: connect from 
cpc17cable-connection.cableprovider.com[12.34.56.78]
Oct 30 17:59:40 mail postfix/smtpd[21281]: setting up TLS connection from 
cpc17cable-connection.cableprovider.com[12.34.56.78]
Oct 30 17:59:40 mail postfix/smtpd[21281]: Anonymous TLS connection established 
from cpc17cable-connection.cableprovider.com[12.34.56.78]: TLSv1 with cipher 
AES128-SHA (128/128 bits)
Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
: Sender address rejected: not owned by user 
myu...@example.com; from= to= 
proto=ESMTP helo=
Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
: Sender address rejected: not owned by user 
myu...@example.com; from= to= 
proto=ESMTP helo=
Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
: Sender address rejected: not owned by user 
myu...@example.com; from= to= 
proto=ESMTP helo=
Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
: Sender address rejected: not owned by user 
myu...@example.com; from= to= 
proto=ESMTP helo=
Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
: Sender address rejected: not owned by user 
myu...@example.com; from= to= 
proto=ESMTP helo=
Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
: Sender address rejected: not owned by user 
myu...@example.com; from= to= 
proto=ESMTP helo=
Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
: Sender address rejected: not owned by user 
myu...@example.com; from= to= 
proto=ESMTP helo=
Oct 30 18:09:43 mail postfix/smtpd[21281]: timeout after RCPT from 
cpc17cable-connection.cableprovider.com[12.34.56.78]
Oct 30 18:09:43 mail postfix/smtpd[21281]: disconnect from 
cpc17cable-connection.cableprovider.com[12.34.56.78]

Googling led me to this thread:
http://comments.gmane.org/gmane.mail.postfix.user/210413

But I don't understand how myu...@example.com is not owned by myu...@example.com

What is the purpose of reject_authenticated_sender_login_mismatch  and 
reject_sender_login_mismatch and should it come before or after 
permit_sasl_auth?



mail:~# postconf -n | grep smtpd_recipient_restrictions
smtpd_recipient_restrictions = reject_non_fqdn_sender,  
reject_non_fqdn_recipient,  reject_sender_login_mismatch,   
permit_sasl_authenticated,  check_helo_access 
hash:/etc/postfix/helo_checks,check_sender_access 
hash:/etc/postfix/ip_whitelist,   check_recipient_access 
hash:/etc/postfix/laxdomains,reject_unknown_sender_domain,   
reject_unknown_recipient_domain,reject_invalid_helo_hostname,   
reject_non_fqdn_helo_hostname,  reject_unknown_helo_hostname, 
check_sender_access hash:/etc/postfix/backscatter   
check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
permit_mynetworks,   reject_unauth_destination,  
reject_unlisted_recipient,  check_policy_service unix:private/policy-spf, 
check_policy_service inet:127.0.0.1:10031,  reject_rbl_client 
bl.spamcop.net,   reject_rbl_client zen.spamhaus.org, reject_rbl_client 
cbl.abuseat.org,  reject_rbl_client blackholes.mail-abuse.org,  
reject_rbl_client tw.countries.nerd.dk, reject_rbl_client kr.countries.nerd.dk, 
reject_rbl_client cn.countries.nerd.dk, reject_rbl_client 
relays.mail-abuse.org,warn_if_reject, reject_unknown_client,  
warn_if_reject,   reject_rhsbl_client dsn.rfc-ignorant.org,   
warn_if_reject, reject_rbl_client dnsbl.sorbs.net,  warn_if_reject, 
reject_rbl_client dnsbl.njabl.org,  warn_if_reject, 
reject_rbl_client dul.dnsbl.sorbs.net,permit

Postfix is 2.7.1 installed via apt-get on Debian.

Thanks.

Simon

Re: reject_authenticated_sender_login_mismatch issue

[Benny Pedersen]

On Fri, 20 Jan 2012 11:28:08 +0400, Anton Raytsin wrote:


How to fix it?


smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch,permit_sasl_authenticated,.

swap reject_authenticated_sender_login_mismatch and 
permit_sasl_authenticated

Re: reject_authenticated_sender_login_mismatch issue

[/dev/rob0]

On Fri, Jan 20, 2012 at 02:23:00PM +0100, Benny Pedersen wrote:
> On Fri, 20 Jan 2012 11:28:08 +0400, Anton Raytsin wrote:
> >How to fix it?
> 
> > smtpd_sender_restrictions=
> > reject_authenticated_sender_login_mismatch,
> > permit_sasl_authenticated,.
> 
> swap reject_authenticated_sender_login_mismatch and
> permit_sasl_authenticated

Benny, the only thing that does is to ensure that the sender login 
mismatch check is never done, because all authenticated senders are
permitted, regardless of what the smtpd_sender_login_maps might 
contain.

The likely best answer for the OP is to review
http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps and 
ensure that the maps are correct.

Another comment I can recall from the OP is that he seems to expect 
this to apply to addresses in the From: headers. Not so, this only
affects the envelope sender address.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: reject_authenticated_sender_login_mismatch issue

[Benny Pedersen]

On Fri, 20 Jan 2012 09:42:43 -0600, /dev/rob0 wrote:


swap reject_authenticated_sender_login_mismatch and
permit_sasl_authenticated


Benny, the only thing that does is to ensure that the sender login
mismatch check is never done, because all authenticated senders are
permitted, regardless of what the smtpd_sender_login_maps might
contain.


it will check if not sasl authed, should atleast change logs

first match wins is still good to remember


The likely best answer for the OP is to review
http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps and
ensure that the maps are correct.


yeps


Another comment I can recall from the OP is that he seems to expect
this to apply to addresses in the From: headers. Not so, this only
affects the envelope sender address.


if user want to restrict this then its a sender identity and can only 
be restricted in roundcube imho


# cat msg
From: "banjo boy" 
To: "sopa" 
Subject: wikipedia

test msg

sendmail -f root root 

Re: reject_authenticated_sender_login_mismatch vs reject_sender_login_mismatch

[Noel Jones]

On 10/31/2011 12:31 PM, Simon Brereton wrote:
> Hi
> 
> I was evaluating my smptd_recipient_restrictions last week and decided that 
> it made no sense to have reject_sender_login_mismatch after 
> permit_sasl_authenticated.  So I changed it.  At the time I was reviewing the 
> documentation I wasn't able to figure out the difference between 
> reject_authenticated_sender_login_mismatch and reject_sender_login_mismatch.

Did you see this?
http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch

With the "authenticated" version, the sender address is only checked
if the user has authenticated.  This allows unauthenticated mail to
use a protected sender address, which may be needed for
notification/invitation services etc. that "spoof" the sender
address for incoming mail.

> 
> Since then I have a few items in the logs like:
> 
> Oct 30 17:59:40 mail postfix/smtpd[21281]: connect from 
> cpc17cable-connection.cableprovider.com[12.34.56.78]
> Oct 30 17:59:40 mail postfix/smtpd[21281]: setting up TLS connection from 
> cpc17cable-connection.cableprovider.com[12.34.56.78]
> Oct 30 17:59:40 mail postfix/smtpd[21281]: Anonymous TLS connection 
> established from cpc17cable-connection.cableprovider.com[12.34.56.78]: TLSv1 
> with cipher AES128-SHA (128/128 bits)
> Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
> cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
> : Sender address rejected: not owned by user 
> myu...@example.com; from= to= 
> proto=ESMTP helo=
> Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
> cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
> : Sender address rejected: not owned by user 
> myu...@example.com; from= to= 
> proto=ESMTP helo=
> Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
> cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
> : Sender address rejected: not owned by user 
> myu...@example.com; from= to= 
> proto=ESMTP helo=
> Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
> cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
> : Sender address rejected: not owned by user 
> myu...@example.com; from= to= 
> proto=ESMTP helo=
> Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
> cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
> : Sender address rejected: not owned by user 
> myu...@example.com; from= to= 
> proto=ESMTP helo=
> Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
> cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
> : Sender address rejected: not owned by user 
> myu...@example.com; from= to= 
> proto=ESMTP helo=
> Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
> cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
> : Sender address rejected: not owned by user 
> myu...@example.com; from= to= 
> proto=ESMTP helo=
> Oct 30 18:09:43 mail postfix/smtpd[21281]: timeout after RCPT from 
> cpc17cable-connection.cableprovider.com[12.34.56.78]
> Oct 30 18:09:43 mail postfix/smtpd[21281]: disconnect from 
> cpc17cable-connection.cableprovider.com[12.34.56.78]
> 
> Googling led me to this thread:
> http://comments.gmane.org/gmane.mail.postfix.user/210413
> 
> But I don't understand how myu...@example.com is not owned by 
> myu...@example.com

Apparently this user didn't authenticate.
You define who owns what address in smtpd_sender_login_maps.  There
are no "automatic" mappings.

> mail:~# postconf -n | grep smtpd_recipient_restrictions
> smtpd_recipient_restrictions =
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_sender_login_mismatch,
> permit_sasl_authenticated,

This should be followed by "permit_mynetworks,
reject_unauth_destination," followed by your other UCE checks.

> check_helo_access hash:/etc/postfix/helo_checks,
> check_sender_access hash:/etc/postfix/ip_whitelist,

check_sender_access is to check the sender email address, and will
never match an IP.  You must use check_client_access to whitelist by IP.

> check_recipient_access hash:/etc/postfix/laxdomains,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_invalid_helo_hostname,
> reject_non_fqdn_helo_hostname,
> reject_unknown_helo_hostname,
> check_sender_access hash:/etc/postfix/backscatter
> check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
> permit_mynetworks,
> reject_unauth_destination,

This is dangerously late for reject_unauth_destination.  You should
move it above any check_*_access maps.

> reject_unlisted_recipient,
> check_policy_service unix:private/po

Re: reject_authenticated_sender_login_mismatch vs reject_sender_login_mismatch

[Simon Brereton]

On 31 October 2011 15:16, Noel Jones  wrote:
> On 10/31/2011 12:31 PM, Simon Brereton wrote:
>> Hi
>>
>> I was evaluating my smptd_recipient_restrictions last week and decided that 
>> it made no sense to have reject_sender_login_mismatch after 
>> permit_sasl_authenticated.  So I changed it.  At the time I was reviewing 
>> the documentation I wasn't able to figure out the difference between 
>> reject_authenticated_sender_login_mismatch and reject_sender_login_mismatch.
>
> Did you see this?
> http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch
>
> With the "authenticated" version, the sender address is only checked
> if the user has authenticated.  This allows unauthenticated mail to
> use a protected sender address, which may be needed for
> notification/invitation services etc. that "spoof" the sender
> address for incoming mail.
>
>>
>> Since then I have a few items in the logs like:
>>
>> Oct 30 17:59:40 mail postfix/smtpd[21281]: connect from 
>> cpc17cable-connection.cableprovider.com[12.34.56.78]
>> Oct 30 17:59:40 mail postfix/smtpd[21281]: setting up TLS connection from 
>> cpc17cable-connection.cableprovider.com[12.34.56.78]
>> Oct 30 17:59:40 mail postfix/smtpd[21281]: Anonymous TLS connection 
>> established from cpc17cable-connection.cableprovider.com[12.34.56.78]: TLSv1 
>> with cipher AES128-SHA (128/128 bits)
>> Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
>> cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
>> : Sender address rejected: not owned by user 
>> myu...@example.com; from= to= 
>> proto=ESMTP helo=
>> Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
>> cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
>> : Sender address rejected: not owned by user 
>> myu...@example.com; from= to= 
>> proto=ESMTP helo=
>> Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
>> cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
>> : Sender address rejected: not owned by user 
>> myu...@example.com; from= to= 
>> proto=ESMTP helo=
>> Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
>> cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
>> : Sender address rejected: not owned by user 
>> myu...@example.com; from= to= 
>> proto=ESMTP helo=
>> Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
>> cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
>> : Sender address rejected: not owned by user 
>> myu...@example.com; from= to= 
>> proto=ESMTP helo=
>> Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
>> cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
>> : Sender address rejected: not owned by user 
>> myu...@example.com; from= to= 
>> proto=ESMTP helo=
>> Oct 30 17:59:43 mail postfix/smtpd[21281]: NOQUEUE: reject: RCPT from 
>> cpc17cable-connection.cableprovider.com[12.34.56.78]: 553 5.7.1 
>> : Sender address rejected: not owned by user 
>> myu...@example.com; from= 
>> to= proto=ESMTP helo=
>> Oct 30 18:09:43 mail postfix/smtpd[21281]: timeout after RCPT from 
>> cpc17cable-connection.cableprovider.com[12.34.56.78]
>> Oct 30 18:09:43 mail postfix/smtpd[21281]: disconnect from 
>> cpc17cable-connection.cableprovider.com[12.34.56.78]
>>
>> Googling led me to this thread:
>> http://comments.gmane.org/gmane.mail.postfix.user/210413
>>
>> But I don't understand how myu...@example.com is not owned by 
>> myu...@example.com
>
> Apparently this user didn't authenticate.
> You define who owns what address in smtpd_sender_login_maps.  There
> are no "automatic" mappings.

Thanks again Noel.  That helps my understanding.

Cheers

Simon

Re: reject_authenticated_sender_login_mismatch vs reject_sender_login_mismatch

[Simon Brereton]

On 31 October 2011 15:16, Noel Jones  wrote:
> On 10/31/2011 12:31 PM, Simon Brereton wrote:
>> Googling led me to this thread:
>> http://comments.gmane.org/gmane.mail.postfix.user/210413
>>
>> But I don't understand how myu...@example.com is not owned by 
>> myu...@example.com
>
> Apparently this user didn't authenticate.
> You define who owns what address in smtpd_sender_login_maps.  There
> are no "automatic" mappings.

Okay, so without smtpd_sender_login_maps those restrictions are worthless, yes?

>> mail:~# postconf -n | grep smtpd_recipient_restrictions
>> smtpd_recipient_restrictions =
>> reject_non_fqdn_sender,
>> reject_non_fqdn_recipient,
>> reject_sender_login_mismatch,
>> permit_sasl_authenticated,
>
> This should be followed by "permit_mynetworks,
> reject_unauth_destination," followed by your other UCE checks.
> check_sender_access is to check the sender email address, and will
> never match an IP.  You must use check_client_access to whitelist by IP.

Nice catch - thanks.

>> reject_unlisted_recipient,
>> check_policy_service unix:private/policy-spf,
>> check_policy_service inet:127.0.0.1:10031,
>> reject_rbl_client bl.spamcop.net,
>> reject_rbl_client zen.spamhaus.org,
>> reject_rbl_client cbl.abuseat.org,
>
> cbl is included in zen, so this is a duplicate.

This is what I was told - but it's always cbl that does the blocking
in the logs.  I seldom get a result for zen.

>> reject_rbl_client blackholes.mail-abuse.org,
>
> Do you pay for a subscription to mail-abuse.org?  Otherwise this
> won't work.

I haven't looked at these in a while - removed.

>> warn_if_reject, reject_unknown_client,
>> warn_if_reject, reject_rhsbl_client dsn.rfc-ignorant.org,
>> warn_if_reject, reject_rbl_client dnsbl.sorbs.net,
>> warn_if_reject, reject_rbl_client dnsbl.njabl.org,
>> warn_if_reject, reject_rbl_client dul.dnsbl.sorbs.net,
>> permit

It's still not clear to me if I need each warn_if_reject, or if I can
just use one.  I.e.

warn_if_reject,
reject_unknown_client,
reject_rbl_client tw.countries.nerd.dk,
reject_rbl_client kr.countries.nerd.dk,
reject_rbl_client cn.countries.nerd.dk,
reject_rhsbl_client dsn.rfc-ignorant.org,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit


>> check_recipient_access hash:/etc/postfix/laxdomains,
>> reject_unknown_sender_domain,
>> reject_unknown_recipient_domain,
>> reject_invalid_helo_hostname,
>> reject_non_fqdn_helo_hostname,
>> reject_unknown_helo_hostname,
>> check_sender_access hash:/etc/postfix/backscatter
>> check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
>> permit_mynetworks,
>> reject_unauth_destination,
>
> This is dangerously late for reject_unauth_destination.  You should
> move it above any check_*_access maps.

This is problem with adding things over time.  And sometimes I get
really confused - to whit.


## SPAM STUFF and REJECT CODES ##
smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
permit_sasl_authenticated,
check_helo_access hash:/etc/postfix/helo_checks,
permit_mynetworks,
reject_unauth_destination,
reject_unlisted_recipient,
check_recipient_access hash:/etc/postfix/laxdomains,  (this is
one domain I host that doesn't want the checking done below)
check_client_access hash:/etc/postfix/ip_whitelist,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,

Jim Seymour has these two ABOVE permit_mynetworks - which I can see
for the sender_domain, but if the recipient_domain was above
permit_mynetworks, then wouldn't postfix reject everything that wasn't
in $mydestination?  So, should it be above or below?  And surely if it
should be above, then so should the helo_hostname checks, no?

check_sender_access hash:/etc/postfix/backscatter
check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
check_policy_service unix:private/policy-spf,
check_policy_service inet:127.0.0.1:10031,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
warn_if_reject,
reject_unknown_client,
warn_if_reject,
reject_rbl_client tw.countries.nerd.dk,
warn_if_reject,
reject_rbl_client kr.countries.nerd.dk,
warn_if_reject,
reject_rbl_client cn.countries.nerd.dk,
warn_if_reject,
reject_rhsbl_client dsn.rfc-ignorant.org,
warn_if_reject,
reject_rbl_client dnsbl.sorbs.net,
warn_if_reject,
reject_rbl_client dnsbl.njabl.org,
warn_if_rejec

Re: reject_authenticated_sender_login_mismatch vs reject_sender_login_mismatch

[Noel Jones]

On 11/1/2011 1:31 PM, Simon Brereton wrote:
> On 31 October 2011 15:16, Noel Jones  wrote:
>> On 10/31/2011 12:31 PM, Simon Brereton wrote:
>>> Googling led me to this thread:
>>> http://comments.gmane.org/gmane.mail.postfix.user/210413
>>>
>>> But I don't understand how myu...@example.com is not owned by 
>>> myu...@example.com
>>
>> Apparently this user didn't authenticate.
>> You define who owns what address in smtpd_sender_login_maps.  There
>> are no "automatic" mappings.
> 
> Okay, so without smtpd_sender_login_maps those restrictions are worthless, 
> yes?

Right.  You must define the user <-> sender address mapping.


>>> reject_unlisted_recipient,
>>> check_policy_service unix:private/policy-spf,
>>> check_policy_service inet:127.0.0.1:10031,
>>> reject_rbl_client bl.spamcop.net,
>>> reject_rbl_client zen.spamhaus.org,
>>> reject_rbl_client cbl.abuseat.org,
>>
>> cbl is included in zen, so this is a duplicate.
> 
> This is what I was told - but it's always cbl that does the blocking
> in the logs.  I seldom get a result for zen.

Maybe spamhaus cut you (or your ISP if you use their DNS) off for
exceeding their query limits.


> It's still not clear to me if I need each warn_if_reject, or if I can
> just use one.  I.e.
> 
> warn_if_reject,
> reject_unknown_client,
> reject_rbl_client tw.countries.nerd.dk,


you need to use warn_if_reject in front of each restriction you want
turned into a warning.


> reject_rbl_client dul.dnsbl.sorbs.net,
> permit

and for completeness, I'll note the final permit is unnecessary, but
doesn't really hurt anything.


> ## SPAM STUFF and REJECT CODES ##
> smtpd_recipient_restrictions =
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> permit_sasl_authenticated,
> check_helo_access hash:/etc/postfix/helo_checks,
> permit_mynetworks,
> reject_unauth_destination,
> reject_unlisted_recipient,
> check_recipient_access hash:/etc/postfix/laxdomains,  (this is
> one domain I host that doesn't want the checking done below)
> check_client_access hash:/etc/postfix/ip_whitelist,
> reject_invalid_helo_hostname,
> reject_non_fqdn_helo_hostname,
> reject_unknown_helo_hostname,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> 
> Jim Seymour has these two ABOVE permit_mynetworks - which I can see
> for the sender_domain, but if the recipient_domain was above
> permit_mynetworks, then wouldn't postfix reject everything that wasn't
> in $mydestination?  So, should it be above or below?  And surely if it
> should be above, then so should the helo_hostname checks, no?

The checks "above" permit_mynetworks and permit_sasl_authenticated
are checks you want applied to your networks and authenticated
users.  Generally it's better to put those checks in
smtpd_sender_restrictions.



  -- Noel Jones

Re: reject_authenticated_sender_login_mismatch vs reject_sender_login_mismatch

[Simon Brereton]

On 1 November 2011 18:53, Noel Jones  wrote:
> On 11/1/2011 1:31 PM, Simon Brereton wrote:
>> On 31 October 2011 15:16, Noel Jones  wrote:
>>> On 10/31/2011 12:31 PM, Simon Brereton wrote:
 Googling led me to this thread:
 http://comments.gmane.org/gmane.mail.postfix.user/210413

 But I don't understand how myu...@example.com is not owned by 
 myu...@example.com
>>>
>>> Apparently this user didn't authenticate.
>>> You define who owns what address in smtpd_sender_login_maps.  There
>>> are no "automatic" mappings.
>>
>> Okay, so without smtpd_sender_login_maps those restrictions are worthless, 
>> yes?
>
> Right.  You must define the user <-> sender address mapping.

>> ## SPAM STUFF and REJECT CODES ##
>> smtpd_recipient_restrictions =
>>         reject_non_fqdn_sender,
>>         reject_non_fqdn_recipient,
>>         permit_sasl_authenticated,
>>         check_helo_access hash:/etc/postfix/helo_checks,
>>     permit_mynetworks,
>>         reject_unauth_destination,
>>         reject_unlisted_recipient,
>>         check_recipient_access hash:/etc/postfix/laxdomains,  (this is
>> one domain I host that doesn't want the checking done below)
>>         check_client_access hash:/etc/postfix/ip_whitelist,
>>         reject_invalid_helo_hostname,
>>         reject_non_fqdn_helo_hostname,
>>         reject_unknown_helo_hostname,
>>         reject_unknown_sender_domain,
>>         reject_unknown_recipient_domain,
>>
>> Jim Seymour has these two ABOVE permit_mynetworks - which I can see
>> for the sender_domain, but if the recipient_domain was above
>> permit_mynetworks, then wouldn't postfix reject everything that wasn't
>> in $mydestination?  So, should it be above or below?  And surely if it
>> should be above, then so should the helo_hostname checks, no?
>
> The checks "above" permit_mynetworks and permit_sasl_authenticated
> are checks you want applied to your networks and authenticated
> users.  Generally it's better to put those checks in
> smtpd_sender_restrictions.

Gah.  There's like 5 people on this list I force myself to obey and
you're one of them...  But I thought the recommended best practice was
to have it all in smtpd_recipient_restrictions..  :(

So if I take them out of there, and add in:

smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, permit

it won't break anything?  Won't make me an open relay and won't make a
backscatterer?

Simon

Re: reject_authenticated_sender_login_mismatch vs reject_sender_login_mismatch

[James Seymour]

On Tue, 1 Nov 2011 14:31:14 -0400
Simon Brereton  wrote:

[snip]
> 
> ## SPAM STUFF and REJECT CODES ##
> smtpd_recipient_restrictions =
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> permit_sasl_authenticated,
> check_helo_access hash:/etc/postfix/helo_checks,
> permit_mynetworks,
[snip]
> 
> Jim Seymour has these two ABOVE permit_mynetworks - 
[snip]

I don't know to which two you refer, but I have what I have above
permit_mynetworks because I want them to apply to even my own local
users.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

Re: reject_authenticated_sender_login_mismatch vs reject_sender_login_mismatch

[Simon Brereton]

On 2 November 2011 15:53, James Seymour  wrote:
> On Tue, 1 Nov 2011 14:31:14 -0400
> Simon Brereton  wrote:
>
> [snip]
>>
>> ## SPAM STUFF and REJECT CODES ##
>> smtpd_recipient_restrictions =
>>         reject_non_fqdn_sender,
>>         reject_non_fqdn_recipient,
>>         permit_sasl_authenticated,
>>         check_helo_access hash:/etc/postfix/helo_checks,
>>     permit_mynetworks,
> [snip]
>>
>> Jim Seymour has these two ABOVE permit_mynetworks -
> [snip]
>
> I don't know to which two you refer, but I have what I have above
> permit_mynetworks because I want them to apply to even my own local
> users.

Yes, that was my understanding when I followed your original
instructions.  But Rob and Noel were telling me that I had too much
stuff before reject_unauth_destination..

I was referring to these two:

reject_unknown_sender_domain,
reject_unknown_recipient_domain,

I guess this is a little off-topic now, but I can see why
reject_unknown_sender_domain before permit_mynetworks would be
sensible - it's stops my users trying to mail with a
randomgibberish.tld but if I put reject_unknown_recipient_domain there
postconf.5 says it will

Reject the request when Postfix is not final destination for the
recipient domain, and the RCPT TO domain has no DNS A or MX record, or
when it has a malformed MX record such as a record with a zero-length
MX hostname (Postfix version 2.3 and later).

Unless that's meant to say it will Reject the request when Postfix is
not final destination for the recipient domain,  OR the RCPT TO domain
has no DNS A or MX record, or when it has a malformed MX

Simon

Re: reject_authenticated_sender_login_mismatch vs reject_sender_login_mismatch

[James Seymour]

On Wed, 2 Nov 2011 16:12:07 -0400
Simon Brereton  wrote:

[snip]
> ... but if I put reject_unknown_recipient_domain there
> postconf.5 says it will
> 
> Reject the request when Postfix is not final destination for the
> recipient domain, and the RCPT TO domain has no DNS A or MX record, or
> when it has a malformed MX record such as a record with a zero-length
> MX hostname (Postfix version 2.3 and later).
> 
> Unless that's meant to say it will Reject the request when Postfix is
> not final destination for the recipient domain,  OR the RCPT TO domain
> has no DNS A or MX record, or when it has a malformed MX

No, it means just what it says it means.  If the local Postfix instance
is the final destination it will accept it.  Or if a destination for
the RCPT domain can be determined it will accept it.  If the local
Postfix instance is not the final destination or it cannot determine
what is, it will be rejected.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

Re: reject_authenticated_sender_login_mismatch vs reject_sender_login_mismatch

[Simon Brereton]

On 2 November 2011 16:26, James Seymour  wrote:
> On Wed, 2 Nov 2011 16:12:07 -0400
> Simon Brereton  wrote:
>
> [snip]
>> ... but if I put reject_unknown_recipient_domain there
>> postconf.5 says it will
>>
>> Reject the request when Postfix is not final destination for the
>> recipient domain, and the RCPT TO domain has no DNS A or MX record, or
>> when it has a malformed MX record such as a record with a zero-length
>> MX hostname (Postfix version 2.3 and later).
>>
>> Unless that's meant to say it will Reject the request when Postfix is
>> not final destination for the recipient domain,  OR the RCPT TO domain
>> has no DNS A or MX record, or when it has a malformed MX
>
> No, it means just what it says it means.  If the local Postfix instance
> is the final destination it will accept it.  Or if a destination for
> the RCPT domain can be determined it will accept it.  If the local
> Postfix instance is not the final destination or it cannot determine
> what is, it will be rejected.

Well, I think my postulation was closer to your explanation, but
either way it's clear now.  I'll restore them above mynetworks.

Thank-you.

Simon

Re: reject_authenticated_sender_login_mismatch vs reject_sender_login_mismatch

[Wietse Venema]

Simon Brereton:
> On 2 November 2011 16:26, James Seymour  wrote:
> > On Wed, 2 Nov 2011 16:12:07 -0400
> > Simon Brereton  wrote:
> >
> > [snip]
> >> ... but if I put reject_unknown_recipient_domain there
> >> postconf.5 says it will
> >>
> >> Reject the request when Postfix is not final destination for the
> >> recipient domain, and the RCPT TO domain has no DNS A or MX record, or
> >> when it has a malformed MX record such as a record with a zero-length
> >> MX hostname (Postfix version 2.3 and later).
> >>
> >> Unless that's meant to say it will Reject the request when Postfix is
> >> not final destination for the recipient domain, ?OR the RCPT TO domain
> >> has no DNS A or MX record, or when it has a malformed MX
> >
> > No, it means just what it says it means. ?If the local Postfix instance
> > is the final destination it will accept it. ?Or if a destination for
> > the RCPT domain can be determined it will accept it. ?If the local
> > Postfix instance is not the final destination or it cannot determine
> > what is, it will be rejected.
> 
> Well, I think my postulation was closer to your explanation, but
> either way it's clear now.  I'll restore them above mynetworks.

The manpage text says, and really means to say, (A AND (B OR C)).
This is equivalent to ((A AND B) OR (A AND C)). 

Your postulation is (A OR B OR C) which equals (A OR (B OR C)).
Note the difference with what the manpage says.

Wietse

Re: reject_authenticated_sender_login_mismatch vs reject_sender_login_mismatch

[Noel Jones]

On 11/2/2011 2:33 PM, Simon Brereton wrote:

>> The checks "above" permit_mynetworks and permit_sasl_authenticated
>> are checks you want applied to your networks and authenticated
>> users.  Generally it's better to put those checks in
>> smtpd_sender_restrictions.
> 
> But I thought the recommended best practice was
> to have it all in smtpd_recipient_restrictions..  :(

That's a guideline, not a best practices -- big difference.
If you want to apply some restriction to ALL connections -- both
your own senders and outside mail -- it makes sense to put it in a
different section.

And mostly applies to access tables (check_*_access) since those
must be handled carefully.

> 
> So if I take them out of there, and add in:
> 
> smtpd_sender_restrictions = reject_unknown_sender_domain,
> reject_unknown_recipient_domain, permit
> 
> it won't break anything?  Won't make me an open relay and won't make a
> backscatterer?

again, the final "permit" is unnecessary.

Should be fine, and it certainly won't make you an open relay.



  -- Noel Jones

Re: reject_authenticated_sender_login_mismatch vs reject_sender_login_mismatch

[Simon Brereton]

On 2 November 2011 18:23, Noel Jones  wrote:
> On 11/2/2011 2:33 PM, Simon Brereton wrote:
>
>>> The checks "above" permit_mynetworks and permit_sasl_authenticated
>>> are checks you want applied to your networks and authenticated
>>> users.  Generally it's better to put those checks in
>>> smtpd_sender_restrictions.
>>
>> But I thought the recommended best practice was
>> to have it all in smtpd_recipient_restrictions..  :(
>
> That's a guideline, not a best practices -- big difference.
> If you want to apply some restriction to ALL connections -- both
> your own senders and outside mail -- it makes sense to put it in a
> different section.
>
> And mostly applies to access tables (check_*_access) since those
> must be handled carefully.

Finally, I get it (thanks Wietse and Jim)..  I was confusing the
binary (in most cases) action of check_*_access with the REJECT access
of reject_*

So, these should be fine anywhere be fine anywhere before
reject_unauth_destination...

reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,

If I put them above mynetworks it applies to my networks too, but
doesn't make me an open relay.  And I put them above permit_sasl_auth
then it applies to all connections (but the HELO ones would likely
knock out any road-warriers (but they should be using the submission
port anyway, right)?

Thanks again for your patience and guidance.

Simon

Re: reject_authenticated_sender_login_mismatch vs reject_sender_login_mismatch

[Noel Jones]

On 11/3/2011 9:28 AM, Simon Brereton wrote:

> So, these should be fine anywhere be fine anywhere before
> reject_unauth_destination...
> 
> reject_invalid_helo_hostname,
> reject_non_fqdn_helo_hostname,
> reject_unknown_helo_hostname,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> 
> If I put them above mynetworks it applies to my networks too, but
> doesn't make me an open relay.  And I put them above permit_sasl_auth
> then it applies to all connections

Yes to all the above, but note it's generally considered bad form to
reject your own users (either mynetworks or authenticated) for any
but the most egregious errors.  Of course, you get to define what's
egregious for you.  Many mail clients present the user a "confusing"
error when mail is rejected, triggering a support call, and it's
unfriendly to make your own users jump through the same
RFC-compliance hoops as a random possibly-hostile MTA.


> (but the HELO ones would likely
> knock out any road-warriers (but they should be using the submission
> port anyway, right)?

It doesn't make much sense for your system to present your users
different behavior based on the port they connect to.

I think putting additional restrictions on port 25 user submission
just makes it harder for the end user without any benefit.


  -- Noel Jones

null envelope and reject_authenticated_sender_login_mismatch

[Marco]

Hello,

 I have the following problem.
I configured Postfix 3.0.1 to force SASL auth and permit only a set of  
envelope sender addresses for each login  
(reject_authenticated_sender_login_mismatch).


I would like to understand why the null envelope sender address ("<>")  
is always permitted for all logins, even if it doesn't match the  
smtpd_sender_login_maps table.
reject_authenticated_sender_login_mismatch works as expected for all  
other envelopes.



Could you help me to know why?

Thank you very much
Marco


2bounce_notice_recipient = a...@example.com
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 5m
append_at_myorigin = no
append_dot_mydomain = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 3
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
default_recipient_limit = 1
delay_warning_time = 3h
disable_vrfy_command = yes
enable_long_queue_ids = yes
error_notice_recipient = a...@example.com
hopcount_limit = 50
html_directory = no
inet_interfaces = $myhostname
inet_protocols = all
mail_name = 
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_queue_lifetime = 1d
message_size_limit = 10485760
meta_directory = /usr/share/postfix
mydestination =
mynetworks =
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
proxy_interfaces = DD.DD.DD.DD
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-3.0.1/README_FILES
relay_domains =
sample_directory = /usr/share/doc/postfix-3.0.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = no
smtp_helo_name = .example.com
smtp_helo_timeout = 30
smtp_mail_timeout = 30
smtp_quit_timeout = 30
smtpd_banner = $myhostname ESMTPSA $mail_name Welcome to Mail Submit
Agent!
smtpd_client_connection_rate_limit = 40
smtpd_client_message_rate_limit = 600
smtpd_client_recipient_rate_limit = 3000
smtpd_client_restrictions = permit_mynetworks,  
permit_sasl_authenticated, reject

smtpd_error_sleep_time = 20
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
smtpd_milters = unix:/run/clamav-milter/clamav-milter.socket
unix:/run/rate-limit/rate-limit.sock
smtpd_recipient_limit = 1
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sender_login_maps = ldap:/etc/postfix/ldap-loginmap.cf
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_authenticated_sender_login_mismatch,
smtpd_tls_CAfile = /etc/postfix/certs/CA.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/certs/.pem
smtpd_tls_key_file = /etc/postfix/certs/.privkey.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
unknown_local_recipient_reject_code = 550


master.cf
submission inet  n   -   n   -   -   smtpd
pickup unix  n   -   n   60  1   pickup
cleanupunix  n   -   n   -   0   cleanup
qmgr   unix  n   -   n   300 1   qmgr
tlsmgr unix  -   -   n   1000?   1   tlsmgr
rewriteunix  -   -   n   -   -   trivial-rewrite
bounce unix  -   -   n   -   0   bounce
defer  unix  -   -   n   -   0   bounce
trace  unix  -   -   n   -   0   bounce
verify unix  -   -   n   -   1   verify
flush  unix  n   -   n   1000?   0   flush
proxymap   unix  -   -   n   -   -   proxymap
proxywrite unix  -   -   n   -   1   proxymap
smtp   unix  -   -   n   -   -   smtp
relay  unix  -   -   n   -   -   smtp
showq  unix  n   -   n   -   -   showq
error  unix  -   -   n   -   -   error
retry  unix  -   -   n   -   -   error
discardunix  -   -   n   -   -   discard
local  unix  -   n   n   -   -   local
virtualunix  -   n   n   -   -   virtual
lmtp   unix  -   -   n   -   -   lmtp
anvil  unix  -   -   n   -   1   anvil
scache unix  -   -   n   -   1   scache

Regarding "reject_authenticated_sender_login_mismatch" domain matching

[Vytenis Sabaliauskas]

Hello everybody,

I'm struggling to stop abusing SASL usernames. My idea is to allow any
particular SASL username send only from his domain, that is "
u...@example.com" can send from "anyth...@example.com", but not from "
u...@otherexample.com".

I know it should be done with "reject_authenticated_sender_login_mismatch"
and "smtpd_sender_login_maps", but what kind of PCRE rules should I write?
Or PCRE is not a good option to achieve this?

Tried these:

/.*(@.*)/ ${1}

they return only the domain part, but sending fails with error:

"Sender address rejected: not owned by user"

Thanks in advance!

reject_authenticated_sender_login_mismatch only for some logins

[ram]

I need to implement smtpd login maps on our postfix servers so as
minimize the chances of a compromised client machine screwing our smtp
relay.

But this cannot be done overnight. There are various clients who use
different envelope sender domains (for perfectly legitimate reasons) and
I cannot get a mapping for all such entries. 

How can I use reject_authenticated_sender_login_mismatch only for some
auth logins. Especially those who insist on using some junk mailserver
in their offices and cannot sufficiently secure their network


So I want to say 
if(sasl authenticated) {
if(suspect client login) {
reject_authenticated_sender_login_mismatch
 } else {
allow  sender_login_mismatch
 }
}


Thanks
Ram

Re: null envelope and reject_authenticated_sender_login_mismatch

[Viktor Dukhovni]

On Tue, Apr 28, 2015 at 09:03:51AM +0200, Marco wrote:

> I would like to understand why the null envelope sender address ("<>") is
> always permitted for all logins, even if it doesn't match the
> smtpd_sender_login_maps table.
> reject_authenticated_sender_login_mismatch works as expected for all other
> envelopes.

This address can't be reasonably owned by any particular login.
If any of your submission clients are MTAs, they need to be able
to send bounces.

If you don't want to allow authentication submission from the null
sender address, you can restrict that sender address via access(5):

null-sender:
<>  permit_mynetworks, reject_unauth_destination

main.cf:
unindexed = texthash:${config_directory}/

smtpd_sender_restrictions =
check_sender_access ${unindexed}null-sender,
reject_sender_login_mismatch

smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

...

-- 
Viktor.

Re: Regarding "reject_authenticated_sender_login_mismatch" domain matching

[Wietse Venema]

Vytenis Sabaliauskas:
[ Charset UTF-8 unsupported, converting... ]
> Hello everybody,
> 
> I'm struggling to stop abusing SASL usernames. My idea is to allow any
> particular SASL username send only from his domain, that is "
> u...@example.com" can send from "anyth...@example.com", but not from "
> u...@otherexample.com".
> 
> I know it should be done with "reject_authenticated_sender_login_mismatch"
> and "smtpd_sender_login_maps", but what kind of PCRE rules should I write?
> Or PCRE is not a good option to achieve this?

The documentation describes exactly what queries Postfix will make
(see 1..3 below) and what the result of the queries must be (see
last paragraph).

The documentation describes DB, DBM, NIS, LDAP or SQL queries. By
using PCRE you just add unnecessary complexity.

Wietse

smtpd_sender_login_maps (default: empty)
   Optional  lookup  table with the SASL login names that own sender (MAIL
   FROM) addresses.

   Specify zero or more "type:name" lookup tables, separated by whitespace
   of  comma. Tables will be searched in the specified order until a match
   is found.  With lookups from indexed files such as DB or DBM,  or  from
   networked  tables such as NIS, LDAP or SQL, the following search opera-
   tions are done with a sender address of user@domain:

   1) user@domain
  This table lookup is always done and has the highest precedence.

   2) user
  This  table  lookup  is  done  only  when the domain part of the
  sender address matches $myorigin,  $mydestination,  $inet_inter-
  faces or $proxy_interfaces.

   3) @domain
  This table lookup is done last and has the lowest precedence.

   In all cases the result of table lookup must be either "not found" or a
   list of SASL login names separated by comma and/or whitespace.

Re: Regarding "reject_authenticated_sender_login_mismatch" domain matching

[D'Arcy J.M. Cain]

On Thu, 19 Jun 2014 08:17:49 +0300
Vytenis Sabaliauskas  wrote:
> I'm struggling to stop abusing SASL usernames. My idea is to allow any
> particular SASL username send only from his domain, that is "
> u...@example.com" can send from "anyth...@example.com", but not from "
> u...@otherexample.com".

I don't know how to do that but I wonder why you want to.  The whole
point of authentication is to allow your users to get email without
having to trust the system they are coming in from.  If you trust the
domain then just add it to mynetworks and don't bother with
authentication.  I suggest authentication though so that your users can
get their email no matter where they are.  People are mobile.

-- 
D'Arcy J.M. Cain
System Administrator, Vex.Net
http://www.Vex.Net/ IM:da...@vex.net
VoIP: sip:da...@vex.net

Re: Regarding "reject_authenticated_sender_login_mismatch" domain matching

[Larry Stone]

On Thu, 19 Jun 2014, D'Arcy J.M. Cain wrote:


On Thu, 19 Jun 2014 08:17:49 +0300
Vytenis Sabaliauskas  wrote:

I'm struggling to stop abusing SASL usernames. My idea is to allow any
particular SASL username send only from his domain, that is "
u...@example.com" can send from "anyth...@example.com", but not from "
u...@otherexample.com".


I don't know how to do that but I wonder why you want to.  The whole
point of authentication is to allow your users to get email without
having to trust the system they are coming in from.  If you trust the
domain then just add it to mynetworks and don't bother with
authentication.  I suggest authentication though so that your users can
get their email no matter where they are.  People are mobile.


Whoa, whoa, whoa. The original poster was asking about sending email. 
You're talking about getting email which is the role of an IMAP or POP 
server such as Dovecot, not Postfix. Besides that, mynetworks defines 
trusted IP addresses, not domains.


-- Larry Stone
   lston...@stonejongleux.com

Re: Regarding "reject_authenticated_sender_login_mismatch" domain matching

[D'Arcy J.M. Cain]

On Thu, 19 Jun 2014 09:23:45 -0500 (CDT)
Larry Stone  wrote:
> On Thu, 19 Jun 2014, D'Arcy J.M. Cain wrote:
> > I don't know how to do that but I wonder why you want to.  The whole
> > point of authentication is to allow your users to get email without
> > having to trust the system they are coming in from.  If you trust
> > the domain then just add it to mynetworks and don't bother with
> > authentication.  I suggest authentication though so that your users
> > can get their email no matter where they are.  People are mobile.
> 
> Whoa, whoa, whoa. The original poster was asking about sending email. 
> You're talking about getting email which is the role of an IMAP or

My mistake but "get" to "send" and that's what I meant to say.
Authenticating before sending is the best protection.  Of course, you
trust that the user's account hasn't been compromised but that's always
an issue anyway.

> POP server such as Dovecot, not Postfix. Besides that, mynetworks
> defines trusted IP addresses, not domains.

Sure.  I was using shorthand here but yes I should have said "...add
the sender's IP address to mynetworks..."  I would think that he wanted
to guarantee that an email claiming to be from a particular domain is
really coming from there anyway.

-- 
D'Arcy J.M. Cain
System Administrator, Vex.Net
http://www.Vex.Net/ IM:da...@vex.net
VoIP: sip:da...@vex.net

Re: Regarding "reject_authenticated_sender_login_mismatch" domain matching

[Vytenis Sabaliauskas]

Perhaps I have expressed it wrong.

Many of our users use alias'es as FROM, office scanners, scripts, etc. I
have implemented this solution in our legacy systems. Limiting to a domain
had a lower impact. Most of leaked SMTP credentials use spoofed senders (
telekom.de, gmail.com, etc.). This blocked ~95% of our outbound spam. Still
fine tuning it.

Now I'm not 100% Postfix'ish, but searching the web gave me no cheap
solution how to implement it in Postfix.



> > > I don't know how to do that but I wonder why you want to.  The whole
> > > point of authentication is to allow your users to get email without
> > > having to trust the system they are coming in from.  If you trust
> > > the domain then just add it to mynetworks and don't bother with
> > > authentication.  I suggest authentication though so that your users
> > > can get their email no matter where they are.  People are mobile.
> >
> > Whoa, whoa, whoa. The original poster was asking about sending email.
> > You're talking about getting email which is the role of an IMAP or
>
> My mistake but "get" to "send" and that's what I meant to say.
> Authenticating before sending is the best protection.  Of course, you
> trust that the user's account hasn't been compromised but that's always
> an issue anyway.
>
> > POP server such as Dovecot, not Postfix. Besides that, mynetworks
> > defines trusted IP addresses, not domains.
>
> Sure.  I was using shorthand here but yes I should have said "...add
> the sender's IP address to mynetworks..."  I would think that he wanted
> to guarantee that an email claiming to be from a particular domain is
> really coming from there anyway.
>
> --
> D'Arcy J.M. Cain
> System Administrator, Vex.Net
> http://www.Vex.Net/ IM:da...@vex.net
> VoIP: sip:da...@vex.net
>



-- 
V.

Re: reject_authenticated_sender_login_mismatch only for some logins

[Wietse Venema]

ram:
> I need to implement smtpd login maps on our postfix servers so as
> minimize the chances of a compromised client machine screwing our smtp
> relay.
> 
> But this cannot be done overnight. There are various clients who use
> different envelope sender domains (for perfectly legitimate reasons) and
> I cannot get a mapping for all such entries. 
> 
> How can I use reject_authenticated_sender_login_mismatch only for some
> auth logins. Especially those who insist on using some junk mailserver
> in their offices and cannot sufficiently secure their network
> 
> 
> So I want to say 
> if(sasl authenticated) {
>   if(suspect client login) {
>   reject_authenticated_sender_login_mismatch

Currently it can be done with a policy daemon (the protocol provides
both the sasl login and the sender address).

To do this in smtpd, the obvious approach is to add an access map
feature that searches a table by the SASL login name.

/etc/postfix/main.cf:
smtpd_something_restrictions =
...
check_sasl_access hash:/etc/postfix/sasl_access
...

/etc/postfix/sasl_access:
us...@example.com   reject_sender_login_mismatch

But the more *general* solution would be a way to say:

check_access attribute_name hash:/etc/postfix/access_table

Where "attribute_name" can be sasl_username, ccert_fingerprint, or
any other smtpd policy protocol attribute name.

If I have time then I would do that, and solve a whole bunch of
future feature requests.

Wietse

Re: reject_authenticated_sender_login_mismatch only for some logins

[mouss]

ram a écrit :
> I need to implement smtpd login maps on our postfix servers so as
> minimize the chances of a compromised client machine screwing our smtp
> relay.

auth is good, but it's not enough. A compromised client can
authenticate.  you still need rate limits and log parsing. and if so,
authentication becomes secondary...

> 
> But this cannot be done overnight. There are various clients who use
> different envelope sender domains (for perfectly legitimate reasons) and
> I cannot get a mapping for all such entries. 
> 
> How can I use reject_authenticated_sender_login_mismatch only for some
> auth logins. Especially those who insist on using some junk mailserver
> in their offices and cannot sufficiently secure their network
> 

you can make it a result of a check_access_*.

but you'd better provide two different access types. a "strict" one and
an "old" one. then enoucrage users to move to the strict one (with
incentives...).

> 
> So I want to say 
> if(sasl authenticated) {
>   if(suspect client login) {
>   reject_authenticated_sender_login_mismatch
>  } else {
>   allow  sender_login_mismatch
>  }
> }
> 
> 
> Thanks
> Ram
> 
> 
> 
> 
> 
> 

Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[P.V.Anthony]

Hi,

How to create an exception to reject_authenticated_sender_login_mismatch 
in main.cf.


Currently have the following setting in main.cf but I do not know how to 
create an exception. Because there are some authenticated users that 
should not be rejected by reject_authenticated_sender_login_mismatch.


Tried check_sender_access but that seems to check the MAIL_FROM. Is 
there a way to check authenticated user and allow emails coming from 
that authenticated user?


--- start --
smtpd_sender_restrictions = reject_unknown_sender_domain,
  check_sender_access hash:/etc/postfix/allowed_user,
  reject_authenticated_sender_login_mismatch,
  check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
-- end -

In the file /etc/postfix/allowed_user it is as follows.

n...@example.com OK

Is there some other check__access that checks the authenticated user?

--
P.V.Anthony




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[Mick]

Hi,



P.V.Anthony wrote:

Hi,



Currently have the following setting in main.cf but I do not know how 
to create an exception. Because there are some authenticated users 
that should not be rejected by 
reject_authenticated_sender_login_mismatch.
I'm a noobie to postfix myself but I'll have an educated guess and say 
'reject_authenticated_sender_login_mismatch'  will REJECT if sender does 
not match the sasl_username without any exception. If you want to allow 
an sasl_username to send messages for an non matching sender, then I'm 
pretty sure you will have to remove it from the smtpd_sender_restrictions. 

If you only want to grant certain users permission to do this, you could 
write a script and run it as an external policy in place of that 
restriction. Postfix will pass the sasl_username and sender details over 
to your script, which could then veto each request based on the 
sasl_username. Do you know how to do this? If you don't, I could post a 
simple PERL example tomorrow.


Mick.

Re: Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[P.V.Anthony]

On 03/08/2015 08:04 PM, Mick wrote:


I'm a noobie to postfix myself but I'll have an educated guess and say
'reject_authenticated_sender_login_mismatch'  will REJECT if sender does
not match the sasl_username without any exception. If you want to allow
an sasl_username to send messages for an non matching sender, then I'm
pretty sure you will have to remove it from the smtpd_sender_restrictions.
If you only want to grant certain users permission to do this, you could
write a script and run it as an external policy in place of that
restriction. Postfix will pass the sasl_username and sender details over
to your script, which could then veto each request based on the
sasl_username. Do you know how to do this? If you don't, I could post a

> PERL example tomorrow.

Thank you very much for replying.

The PERL script would be very very very helpful. Thank you again for 
offering to help.


--
P.V.Anthony




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[Viktor Dukhovni]

On Sat, Mar 07, 2015 at 05:59:23PM +0800, P.V.Anthony wrote:

> How to create an exception to reject_authenticated_sender_login_mismatch in
> main.cf.

Postfix 2.11 or later:

http://www.postfix.org/postconf.5.html#check_sasl_access

Presumably some SASL users need to be able to send from *any* email
address, or at least too many to enumerate.

> smtpd_sender_restrictions = reject_unknown_sender_domain,
>   check_sender_access hash:/etc/postfix/allowed_user,
>   reject_authenticated_sender_login_mismatch,
>   check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
> -- end -
> 
> In the file /etc/postfix/allowed_user it is as follows.
> 
> n...@example.com OK
> 
> Is there some other check__access that checks the authenticated user?

With earlier releases, if this user can send from any email address,
EXCEPT email addresses reserved for other SASL users, then just:

http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

indexed = ${default_database_type}:${config_directory}/
smtpd_sender_login_maps =
${indexed}sender_login, static:n...@example.com

Otherwise, Postfix >= 2.10, go with "socketmap" (superior to "tcp"
table alternative below):

http://www.postfix.org/socketmap_table.5.html

and for every sender address return:

,

For Postfix <= 2.9, use "tcp" tables.

http://www.postfix.org/tcp_table.5.html

-- 
Viktor.

Re: Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[Mick]

P.V.Anthony wrote:

On 03/08/2015 08:04 PM, Mick wrote:


I'm a noobie to postfix myself but I'll have an educated guess and say
'reject_authenticated_sender_login_mismatch'  will REJECT if sender does
not match the sasl_username without any exception. If you want to allow
an sasl_username to send messages for an non matching sender, then I'm
pretty sure you will have to remove it from the 
smtpd_sender_restrictions.

If you only want to grant certain users permission to do this, you could
write a script and run it as an external policy in place of that
restriction. Postfix will pass the sasl_username and sender details over
to your script, which could then veto each request based on the
sasl_username. Do you know how to do this? If you don't, I could post a

> PERL example tomorrow.

Thank you very much for replying.

The PERL script would be very very very helpful. Thank you again for 
offering to help.
Okay, here it goes. You know I'm a novice right? If anyone on this 
group thinks this is a no no, please comment.


Do read the comments denoted by a # at the start of each line or after ; 
at the end of the line. It explains what is going on.
You don't need the bottom bit of the script, except for interest / debug 
/ future policy ideas and is not intended to be permanent.

Copy, paste and save the script below as /etc/postfix/sasluser.p
You can save it anywhere and by any name, but for this example it is 
where I have put it and named it.

Once saved, from the command line set permissions,

chown nobody:nogroup /etc/postfix/sasluser.p
chmod 774 /etc/postfix/sasluser.p

Edit the $allowed array entries to show addresses you want to bypass the 
sasl_username not equalling the sender restriction. Make sure you add a 
backslash before the '@' symbol.

From the command prompt (PuTTY) switch user to nobody
su nobody
...
type ;
perl /etc/postfix/sasluser.p
If no errors, you should get a blank line without command prompt, if so type
sasl_username=
sender=anaddr...@anydomain.sg



You should see action=DUNNO printed on the screen, this because as the 
sasl_username field is empty,  we assume this  is an external incoming 
mail which won't match the sender address. DUNNO tells postfix to pass 
onto the next test by the way.


If the sasl_username is different from the sender, but is in $allowed, 
OR sasl_username not in your $allowed array, but matches the sender 
address, you should also get a DUNNO. If you test with an sasl_username 
not in $allowed, with a sender address that doesn't match, you will see 
action=REJECT + reason


ONLY if you can get the above to work as shown under user nobody, 
considder adding it to postfix. Before doing so, do a postfix reload 
just to ensure your current config is working sending an email to 
confirm. Also *DO* backup both of these files before altering. I've been 
caught out like this before where a previous change I made messed up the 
setup, but as I hadn't reloaded I didn't notice. It took me hours to 
work out that the fault wasn't with what I had just done. Hours!!!


Anyway, if it passes the tests shown above, add this line to  master.cf

policy-sg  unix -   n   n   -   -   spawnuser=nobody 
argv=/etc/postfix/sasluser.p -v


Save, postfix reload, send message. If okay, add the following line to 
main.cf in place of reject_authenticated_sender_login_mismatch


check_policy_service unix:private/policy-sg,

If it was the last line, remove the comma.
Save, postfix reload, send message. If it fails, comment out the line, 
save, postfix reload, retry sending. Check permissions are correct.


The script is very basic, and though functional is only meant only as a 
starting point. It would be better to read the super users in from a 
file or database rather than having to alter / add to an array in the 
script as a typo / semi colon missing in the script = your mailserver 
SMTP dies by server configuration error. Do test thoroughly  first.


Just so you know, I only wrote my first PERL script two weeks ago so 
there is probably a much neater way write it. The purists certainly 
won't approve it looking more like php than PERL, but I'm still 
learning. Should all variables be defined by 'my'? Also, this comes with 
no warranty or liability. There may be typos. If you you use it, it's at 
your own risk




Good luck,

Mick.


#!/usr/bin/perl
# sasluser.p
# PERL Script hashed up by Snakebyte
# version 0.01

$action="action=DUNNO\n\n";
$sender="";
$sasl_username="\n";

#
# SASL users that are allowed to play at God ;
# Note : you must add a backslash \(escape character)  before '@' else PERL 
will treat it as an array
# While it won't kill the script, it won't work either.

$allowed[0]="address1\@mydomain.sg";
$allowed[1]="address2\@mydomain.sg";
# add more by $allo

Re: Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[Mick]

P.V.Anthony wrote:

On 03/08/2015 08:04 PM, Mick wrote:


I'm a noobie to postfix myself but I'll have an educated guess and say
'reject_authenticated_sender_login_mismatch'  will REJECT if sender does
not match the sasl_username without any exception. If you want to allow
an sasl_username to send messages for an non matching sender, then I'm
pretty sure you will have to remove it from the 
smtpd_sender_restrictions.

If you only want to grant certain users permission to do this, you could
write a script and run it as an external policy in place of that
restriction. Postfix will pass the sasl_username and sender details over
to your script, which could then veto each request based on the
sasl_username. Do you know how to do this? If you don't, I could post a

> PERL example tomorrow.

Thank you very much for replying.

The PERL script would be very very very helpful. Thank you again for 
offering to help.




Sorry, I forgot about the line wrap on emails. Make sure the # comments 
on the script stay on the same line. If you want me to PM you the file, 
let me know. Also make sure that the master.cf line stays on one line too.


Mick.

Re: Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[Mick]

Darn formatting! I can't read it myself. Gr! Attached as a text 
file. Hope attachments are allowed.




Mick.
#!/usr/bin/perl
# sasluser.p
# PERL Script abused by Snakebyte
# version 0.01

$action="action=DUNNO\n\n";
$sender="";
$sasl_username="\n";

#
# SASL users that are allowed to play at God ;
# Note : you must add a backslash (escape character)  before '@' else PERL will 
treat it as an array

$allowed[0]="address1\@mydomain.sg";
$allowed[1]="address2\@mydomain.sg";


# Read data passed in by Postfix and grab sender and sasl_username
$a="";
while  ($b ne "\n") 
{
$b=();
$a.=$b;
if ($b =~ /=/) 
{
my ($key, $value) =split (/=/, $b, 2);
if ($key eq "sender") { $sender=$value;}
if ($key eq "sasl_username") { $sasl_username=$value;}
}

 }
# --


# Disreguard non SASL authenticated and exit the script.
# If you don't do this, incoming mail will be rejected as sasl_username won't 
equal sender
if ($sasl_username eq "\n") 
{
   print"action=DUNNO\n\n"; 
   exit(0);
}
# ---


# The following line will reject in a similar way that 
'reject_authenticated_sender_login_mismatch' would do.
# You can change the text following REJECT to your own custom message
if($sasl_username ne $sender) { $action="action=REJECT Not authorised to send 
from this address"; }



# remove linefeed from sasl_username
chomp($sasl_username); 

# The following lines loop through each entry of the $allowed array. 
# If one of the entries equals the sasl_usename, it will overwrite $action to 
"action=DUNNO" 
foreach $loop (@allowed)
  {
 if($loop eq $sasl_username) { $action="action=DUNNO"; }
  } 
# -

# That's it, now print $action followed by a double line feeds '\n\n'

# That's it, now print $action followed by a double line feeds '\n\n'
print "$action\n\n";
#print "action=DUNNO\n\n";
# If you un-comment the above line, and comment '#'the one above, this script 
will not reject anything.


# Ignore the rest but keep exit(0), also...
# If you want to see what other variables the script is receiving from Postfix, 
you can log them
# Create a directory of your choice. eg /var/worldwrite. From PuTTY root 
privilage command line type 
# mkdir /var/worldwrite
# chown nobody:nogroup /var/worldwrite
# chmod 774 /var/worldwrite/


$file="/var/worldwrite/postreport.txt";
my($key, $time_stamp, $now);
$key = lc @_{"client_address"}."/".$attr{"sender"}."/".$attr{"recipient"};
open(my $fh, '>>', $file) or die "X";
print $fh "Start:\n$a\n$action\nEnd\n";
close $fh;
# If all is working okay, I would delete from print "$action\n\n"; to here,  
Then delete the worldwrite directory. 
# You will only end up with a bloated file, and a directory writable by nobody. 
Not good. 


exit(0);

Re: Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[Viktor Dukhovni]

On Mon, Mar 09, 2015 at 03:36:53AM +, Mick wrote:

> Darn formatting! I can't read it myself. Gr! Attached as a text file.
> Hope attachments are allowed.

I would not deploy this policy script.  It requires a new Perl
process for each request.  That's a rather bad idea.  It does not
treat the sender address in a case-insensitive manner.

With 2.11 or later, use check_sasl_access.

With 2.10 use socketmap, and with 2.9 or less the tcp table to
implement smtpd_sender_login_maps.  Whichever you use, make it
a persistent service not one process per lookup.

-- 
Viktor.

Re: Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[Mick]

Viktor Dukhovni wrote:

On Mon, Mar 09, 2015 at 03:36:53AM +, Mick wrote:

  

Darn formatting! I can't read it myself. Gr! Attached as a text file.
Hope attachments are allowed.



I would not deploy this policy script.  It requires a new Perl
process for each request.  That's a rather bad idea.  It does not
treat the sender address in a case-insensitive manner.
  
I hadn't thought of that. If the mail server busy, a lot of processes 
could end up running. You could limit the number of processes in 
master.cf though couldn't you?
policy-sg  unix -   n   n   -   5   spawn
user=nobody argv=/etc/postfix/sasluser.p -v
I agree running a service would be better. That's way beyond my limited 
knowledge though.

Policy-spf uses the spawn method. Is that bad too?
Good point about case insensitive and one I missed. That could easily be 
rectified with $sender=lc($value); Same for sasl_username.







With 2.11 or later, use check_sasl_access.

With 2.10 use socketmap, and with 2.9 or less the tcp table to
implement smtpd_sender_login_maps.  Whichever you use, make it
a persistent service not one process per lookup.

  
Out of interest, have you any links showing working examples? I doubt it 
be as simple as creating a file, postmapping it to a db file and adding

check_sasl_access hash:/etc/postfix/sasl_checks


Mick.

Re: Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[Viktor Dukhovni]

On Mon, Mar 09, 2015 at 04:40:41AM +, Mick wrote:

> >I would not deploy this policy script.  It requires a new Perl
> >process for each request.  That's a rather bad idea.  It does not
> >treat the sender address in a case-insensitive manner.
>
> I hadn't thought of that. If the mail server busy, a lot of processes could
> end up running. You could limit the number of processes in master.cf though
> couldn't you?

I am not talking about concurrency, rather this still costs a Perl
invocation per lookup and Perl start-up time is considerable.  The
server might easily have problems under load, especially if you
limit concurrency too much.

> I agree running a service would be better. That's way beyond my limited
> knowledge though.

That's why I am suggesting a TCP table driver, (or even better SQL).

> >With 2.10 use socketmap, and with 2.9 or less the tcp table to
> >implement smtpd_sender_login_maps.  Whichever you use, make it
> >a persistent service not one process per lookup.
>
> Out of interest, have you any links showing working examples? I doubt it be
> as simple as creating a file, postmapping it to a db file and adding
> check_sasl_access hash:/etc/postfix/sasl_checks

It's a damn simple protocol, you just need a persistent TCP listener.

However upgrading to Postfix 2.11 which supports check_sasl_access
is surely easier.

-- 
Viktor.

Re: Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[Mick]

Viktor Dukhovni wrote:

On Mon, Mar 09, 2015 at 04:40:41AM +, Mick wrote:

  

I would not deploy this policy script.  It requires a new Perl
process for each request.  That's a rather bad idea.  It does not
treat the sender address in a case-insensitive manner.
  

I hadn't thought of that. If the mail server busy, a lot of processes could
end up running. You could limit the number of processes in master.cf though
couldn't you?



I am not talking about concurrency, rather this still costs a Perl
invocation per lookup and Perl start-up time is considerable.
Ah, I see. Thanks for clarifying the difference. I run a PERL script 
using spawn to block and group SMTP authenticated senders. Perhaps I 
should look into making that script run as a daemon to save PERL start 
up time. Haven't a clue how. I guess that's my free time for the next 3 
months booked!




  The
server might easily have problems under load, especially if you
limit concurrency too much.
  

True.



  

I agree running a service would be better. That's way beyond my limited
knowledge though.



That's why I am suggesting a TCP table driver, (or even better SQL).
  
I find the postfix instruction manual a nightmare, and the write-up on 
smtpd_sender_login_maps is no exception. It contains no examples. The 
manual is very good at telling you what can be achieved, but is written 
for those already in the know I fear.  I mean no offence to whoever 
wrote the manual. Out of interest to me, and perhaps P.V. who asked the 
question in the first place, how would you even start?  
smtpd_sender_login_maps = exactly what?


Can you create a text file containing  ;

a...@domain.tld, f...@domain.tld, g...@domain.tld
b...@domain.tld, f...@domain.tld, h...@domain.tld, j...@domain.tld

Where the left column is the sender address and addresses the right are 
sasl users allowed to send on behalf of that sender.

I note a comma can also be white space.
Save text file as "/etc/postfix/failure.1"

convert to DB file
postmap /etc/postfix/failure.1

add to main.cf
check_client_access hash:/etc/postfix/failure.1,

/etc/init.d/postfix reload

Will that work? I may have got that completely wrong. The write-down 
mentions two further lookups. user@ and @domain.  It was at that point 
my eyes shattered from being glazed over ;-) .



  

With 2.10 use socketmap, and with 2.9 or less the tcp table to
implement smtpd_sender_login_maps.  Whichever you use, make it
a persistent service not one process per lookup.
  

Out of interest, have you any links showing working examples? I doubt it be
as simple as creating a file, postmapping it to a db file and adding
check_sasl_access hash:/etc/postfix/sasl_checks



It's a damn simple protocol, you just need a persistent TCP listener.
  
I'll have to take your word there, but I like the sound of it being 
simple. I will have to have a go at creating one if I find out enough 
info to start.




However upgrading to Postfix 2.11 which supports check_sasl_access
is surely easier.

  
There's even less of a write-up on that so I can't comment. I would 
sooner add a list of valid senders to the sasl_username list. Seems more 
logical than the other way around. As far as Postfix 2.11 goes, I'm far 
too green to wander outside the realms of the regular Debian Wheezy 
distro where postfix is currently 2.9.6 despite 2.11 is available via 
backport. I think? I will wait.



Thanks for your reply Viktor.


Mick.

Re: Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[P.V.Anthony]

Dear Mike and Victor,

Thank you both very much for replying and helping out with the possible 
solutions.


I will try them out. Looks like upgrading to 2.11 seems like the best 
choice. I am a little afraid to upgrade to 2.11 but after searching on 
the internet, it seems that is alright. I am on centos 6 currently.


Once again thank you both for helping out.

--
P.V.Anthony




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[Viktor Dukhovni]

On Mon, Mar 09, 2015 at 01:49:18PM +, Mick wrote:

> >I am not talking about concurrency, rather this still costs a Perl
> >invocation per lookup and Perl start-up time is considerable.
>
> Ah, I see. Thanks for clarifying the difference. I run a PERL script using
> spawn to block and group SMTP authenticated senders. Perhaps I should look
> into making that script run as a daemon to save PERL start up time. Haven't
> a clue how. I guess that's my free time for the next 3 months booked!

For policy services spawn is fine, because each smtpd(8) connects
once and makes many requests.  However, you need to NOT exit until
the connection is closed by the client (i.e. smtpd(8)).  Rather
you need to loop reading requests and writing responses until there
are no more requests.

There are examples of such policy services.

For "socketmap" each connection is typically also used for multiple
requests.  Again, don't just exit, loop handling requests until
the client disconnects.

> >That's why I am suggesting a TCP table driver, (or even better SQL).
>
> I find the postfix instruction manual a nightmare,

The only per-parameter documentation is a reference manual, not a
tutorial.  Reference manuals document available features and syntax.

> Out of interest to me, and perhaps P.V. who asked the question in the first
> place, how would you even start?  smtpd_sender_login_maps = exactly what?

A list of tables that map envelope sender addresses to lists of
SASL login names.  There are many supported table types.  These
are referenced from DATABASE_README which has links to per-type
documents.

With SQL tables you can make union queries that neatly solve the
problem at hand.  Something along the lines of:

SELECT sasl_login
FROM sender_to_login
WHERE sender_to_login.sender = '%u@%d' -- unlike %s, no partial keys
UNION
SELECT sasl_login
FROM anysender_login


> Can you create a text file containing  ;
> 
> a...@domain.tld, f...@domain.tld, g...@domain.tld
> b...@domain.tld, f...@domain.tld, h...@domain.tld, j...@domain.tld

Well, for simple indexed files via postmap, no comma in the key
column. Just optional commas between the RHS elements.

> Will that work? I may have got that completely wrong. The write-down
> mentions two further lookups. user@ and @domain.  It was at that point my
> eyes shattered from being glazed over ;-) .

Well, the lookup key can be the full address or part of the address
as documented.

> >However upgrading to Postfix 2.11 which supports check_sasl_access
> >is surely easier.
>
> There's even less of a write-up on that so I can't comment. I would sooner
> add a list of valid senders to the sasl_username list. Seems more logical
> than the other way around. As far as Postfix 2.11 goes, I'm far too green to
> wander outside the realms of the regular Debian Wheezy distro where postfix
> is currently 2.9.6 despite 2.11 is available via backport. I think? I will
> wait.

My employer is running the 2.11 backport on wheezy just fine.  This
takes very little effort (I am not the one managing the MTA).

As for lookups by SASL user

smtpd_sender_restrictions =
check_sasl_access ,
reject_sender_login_mismatch,
...

Just use "OK" for the RHS of  for logins not constrained
to any particular sender address, then they are not contrained by
the mismatch check that follows.

If you've not yet read the Postfix book by Ralf and Patrick, do.

-- 
Viktor.

Re: Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[Mick]

Viktor Dukhovni wrote:

For policy services spawn is fine, because each smtpd(8) connects
once and makes many requests.  However, you need to NOT exit until
the connection is closed by the client (i.e. smtpd(8)).  Rather
you need to loop reading requests and writing responses until there
are no more requests.
  

I suspected as much, but when I tried this previously ;
do{
  ... rest of  script 
} until (time==0)

I ended up overloading my VPS. On examination, I found Postfix opened a 
new policy instance each time, and each instance kept on running after 
Postfix had disconnected. I killed the processes manually and did away 
with the loop adding the exit(0) clause. All seemed well after that. I 
not asking for advice here, but think the socket idea is the best route 
to explore next.





The only per-parameter documentation is a reference manual, not a
tutorial.  Reference manuals document available features and syntax.
  
Yeah well, that may be. I have picked up ideas from it, but then had to 
look elsewhere. If I want to do something, I tend to ignore any searches 
that point to postfix.org as mostly the data there is just not helpful 
to me.




  

Out of interest to me, and perhaps P.V. who asked the question in the first
place, how would you even start?  smtpd_sender_login_maps = exactly what?



A list of tables that map envelope sender addresses to lists of
SASL login names.  There are many supported table types.  These
are referenced from DATABASE_README which has links to per-type
documents.

With SQL tables you can make union queries that neatly solve the
problem at hand.  Something along the lines of:

SELECT sasl_login
FROM sender_to_login
WHERE sender_to_login.sender = '%u@%d' -- unlike %s, no partial keys
UNION
SELECT sasl_login
FROM anysender_login


  
I get the basics of how MySQL works, though UNION and unlike are new to 
me. Perhaps -- denotes a comment? I understand how to read and write to 
them at least. What are %u, %d an %s? Global postfix variables for 
$sasl_user, $domain  $sender? You surely could not add  ...


smtpd_sender_login_maps = 
   SELECT sasl_login

FROM sender_to_login
   

... could you? Clear as mud, but thanks for trying to explain it.






Can you create a text file containing  ;

a...@domain.tld, f...@domain.tld, g...@domain.tld
b...@domain.tld, f...@domain.tld, h...@domain.tld, j...@domain.tld



Well, for simple indexed files via postmap, no comma in the key
column. Just optional commas between the RHS elements.
  

RHS? Royal Horticultural Society ;-)



My employer is running the 2.11 backport on wheezy just fine.  This
takes very little effort (I am not the one managing the MTA).
  
I will wait for the distro. I'm not prepared to take the change of it 
going pear shaped. It took me near on 3 months to get it running as I 
wanted it. Don't want to ever spend that much time banging my head 
against a brick wall again.

As for lookups by SASL user

smtpd_sender_restrictions =
check_sasl_access ,
reject_sender_login_mismatch,
...

Just use "OK" for the RHS of  for logins not constrained
to any particular sender address, then they are not contrained by
the mismatch check that follows.

If you've not yet read the Postfix book by Ralf and Patrick, do.

  
Thanks for your input. All questions asked n this message are 
rhetorical, so no reply expected. Without working commented examples I 
simply won't get it. I have downloaded "The Postfix Book". Thanks for 
that. A real bonus for sure.  While a lot has probably changed or been 
added since 2005 I'm sure I will get up a better idea of what is going 
on from there.


Thanks Viktor, and good luck P.V.

Mick.

Re: Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[Viktor Dukhovni]

On Tue, Mar 10, 2015 at 02:33:08AM +, Mick wrote:

> >With SQL tables you can make union queries that neatly solve the
> >problem at hand.  Something along the lines of:
> >
> > SELECT sasl_login
> > FROM sender_to_login
> > WHERE sender_to_login.sender = '%u@%d' -- unlike %s, no partial keys
> > UNION
> > SELECT sasl_login
> > FROM anysender_login
>
>
> I get the basics of how MySQL works, though UNION and unlike are new to me.
> Perhaps -- denotes a comment?

Yes -- denotes a comment.

> I understand how to read and write to them at
> least. What are %u, %d and %s?

You'd have to look at postfix.org documentation I'm afraid.
One of:

http://www.postfix.org/pgsql_table.5.html
http://www.postfix.org/mysql_table.5.html
http://www.postfix.org/ldap_table.5.html


> smtpd_sender_login_maps =SELECT sasl_login
>   FROM sender_to_login
>
> 
> ... could you? Clear as mud, but thanks for trying to explain it.

Again, postfix.org documentation:

main.cf:
smtpd_sender_login_maps = pgsql:/etc/postfix/sasl_sender.cf

sasl_sender.cf:
... database connection settings ...
query = SELECT ...

> >Well, for simple indexed files via postmap, no comma in the key
> >column. Just optional commas between the RHS elements.
>
> RHS? Royal Horticultural Society ;-)

How about right-hand-side.

> Don't want to ever spend that much time banging my head against a brick wall
> again.

It'll get easier, but not if you're unwilling to read the documentation.
First read the book, for the concepts, then the docs for the latest
up-to-date details.

> >If you've not yet read the Postfix book by Ralf and Patrick, do.
>
> Thanks for your input. All questions asked n this message are rhetorical, so
> no reply expected.  Without working commented examples I simply won't get it.

The book has those.  The official documentation contains short
examples, not complete system walk-throughs.  Enjoy the book.

-- 
Viktor.

Re: Exception for authenticated user when using reject_authenticated_sender_login_mismatch.

[Mick]

Hi Viktor,


Viktor Dukhovni wrote:

On Tue, Mar 10, 2015 at 02:33:08AM +, Mick wrote:

  
You'd have to look at postfix.org documentation I'm afraid.

One of:


http://www.postfix.org/mysql_table.5.html
   
  
That was generally enlightening. 







RHS? Royal Horticultural Society ;-)



How about right-hand-side.
  

Doh!


  

Don't want to ever spend that much time banging my head against a brick wall
again.



It'll get easier, but not if you're unwilling to read the documentation.
First read the book, for the concepts, then the docs for the latest
up-to-date details.
  

I hope so. It is nice to have the book of postfix.



The official documentation contains short
examples, not complete system walk-throughs.  Enjoy the book.

  
I'm only on chapter 2, page 10 and so far, Stopped to look at 
http://www.ntp.org seeing as my clock is 39 seconds slow! In for a 
penny, in for a pound. If I carry on enjoying the book (which I'm sure I 
will), I may purchase a hard copy, though not at the current 
Amazon.co.uk price.



Many thanks,

Mick.