Andrea Gozzi wrote:
On Thu, 2008-09-11 at 09:00 +0200, Andrea Gozzi wrote:
The REDIRECT check can easily be bypassed by changing the MAIL FROM: ,
so I configured the webmail to allow mail originating from the real
address only.
Unfortunately, someone might still try to connect directly to postfix
and fake the envelope..
After some research, I thought I would be happier with
reject_authenticated_sender_login_mismatch
Unfortunately some users relay through my postfix server and I can't add
every one of their other addresses to smtpd_sender_login_maps .
you need to reread the documentation about
reject_*_sender_login_mismatch carefully. if you still don't see the
light, read again. Hint: if it's not in, it's not restricted.
Is there anyway to whitelist a user in the table or (even better)
perform the check for a certain domain only?
see above.
If more flexibility is needed, you can use check_sender_access to call
the reject_mumble_mismatch checks.
Example:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_login_acl
== sender_login_acl
# must auth and match
[EMAIL PROTECTED] reject_sender_login_mismatch
# must auth
[EMAIL PROTECTED] reject_unauthenticated_sender_login_mismatch
# if auth, must match
[EMAIL PROTECTED] reject_authenticated_sender_login_mismatch
# skip this one
[EMAIL PROTECTED] DUNNO
# all other addresses in this domain ...
example.org reject_authenticated_sender_login_mismatch
