DJ Lucas escribió: >> Return-Path: <[EMAIL PROTECTED]> >> X-Original-To: [EMAIL PROTECTED] >> Delivered-To: [EMAIL PROTECTED] >> ... >> Received: from gangotri.ubuntu.com (localhost.localdomain [127.0.0.1]) >> by gangotri.ubuntu.com (Postfix) with ESMTP id 0C222318376 >> for <[EMAIL PROTECTED]>; Fri, 28 Jul 2006 04:10:09 +0100 (BST) >> From: RoMaNSoFt <[EMAIL PROTECTED]> >> > Maybe I'm incorrect, but I believe there was a subtle misunderstanding > in the above conversation. The From: header is not the same as MAIL > FROM: command in smtp transaction. MAIL FROM for this message was > [EMAIL PROTECTED] Feel fee to find that message in your logs and
Thank you for the correction, you are right: my example is wrong but that doesn't change the fact we were discussing since Noel and I were always referring to the "mail from" (i.e. the sender). If some silly ticket system spoofs the "From" header, there is a good chance that it spoofs the "mail from" too... > verify. Anyway, the Postfix directive you are looking for is > "reject_unauthenticated_sender_login_mismatch". > http://www.postfix.org/postconf.5.html#reject_unauthenticated_sender_login_mismatch Yes, I think that's the directive I was looking for. > That said, cheap web scripts often do use the recipient's address in the > transaction. Latest complaint I had was from some star rewards thing > for frequent visits to a restaurant (for which I promptly replied: > "choose a different restaurant" ;-) ). > > Take the following two manual transactions as an example with the smtpd > sender restriction above (only slightly altered to avoid giving away > unnecessary info and posting a real address in plain text on the internet): > > [EMAIL PROTECTED] ~]# telnet mail.lucasit.com 25 > Trying 192.168.xxx.xxx... > Connected to mail.lucasit.com. > Escape character is '^]'. > 220 postal.lucasit.com ESMTP Postfix > ehlo somehost.lucasit.com > 250-postal.lucasit.com > 250-PIPELINING Isn't a good idea to disable pipelining? (many people recommends it to reduce spam). > 250-SIZE 10240000 > 250-VRFY > 250-ETRN > 250-STARTTLS > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > MAIL FROM: [EMAIL PROTECTED] > 250 2.1.0 Ok > RCPT TO: [EMAIL PROTECTED] > 553 5.7.1 <[EMAIL PROTECTED]>: Sender address rejected: not logged in Nice. That's what I'd like to set-up. Nevertheless, I tried to reproduce in a test system, with no luck :-(. It should be trivial, but I cannot find the error. Could you help me? My setup is quite simple (using virtual domains and Amavis to "mark" virus/spam messages): hsnew:/etc/postfix# postconf -n alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavisfeed:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix delay_warning_time = 4 disable_vrfy_command = yes mail_name = mxhs mailbox_command = procmail -a "$EXTENSION" message_size_limit = 28311552 mydestination = $myhostname localhost localhost.$mydomain myhostname = hsnew.rs-labs.es mynetworks = 127.0.0.2, 127.0.0.3 myorigin = $myhostname recipient_delimiter = + relay_domains = hash:/etc/postfix/listas hash:/etc/postfix/mxbackup relocated_maps = hash:/etc/postfix/relocated show_user_unknown_table_name = no smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noplaintext smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauthenticated_sender_login_mismatch, check_recipient_access hash:/etc/postfix/recipient_access_non_trusted, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_use_tls = yes transport_maps = hash:/etc/postfix/listas virtual_alias_maps = hash:/etc/postfix/valias virtual_mailbox_domains = hash:/etc/postfix/vdomain virtual_mailbox_maps = hash:/etc/postfix/vuser virtual_transport = lmtp:unix:/private/cyrus hsnew:/etc/postfix# cat vuser [EMAIL PROTECTED] whatever hsnew:/etc/postfix# cat vdomain rs-labs.es whatever hsnew:/etc/postfix# >From another host ("not trusted"), I'm sending a very simple mail: [EMAIL PROTECTED]:/tmp# cat mail helo k mail from:[EMAIL PROTECTED] rcpt to:[EMAIL PROTECTED] data subject: prueba . quit [EMAIL PROTECTED]:/tmp# nc hsnew.rs-labs.es 25 <mail 220 hsnew.rs-labs.es ESMTP Sendmail 8.14.2/8.14.1 250 hsnew.rs-labs.es 250 2.1.0 Ok 250 2.1.5 Ok 354 End data with <CR><LF>.<CR><LF> 250 2.0.0 Ok: queued as 3A4F6982AA 221 2.0.0 Bye [EMAIL PROTECTED]:/tmp# My receiving MTA logs the following: Dec 2 16:34:12 hsnew postfix/smtpd[3697]: connect from 207-150-162-19.static.sagonet.net[207.150.162.19] Dec 2 16:34:12 hsnew postfix/smtpd[3697]: 3A4F6982AA: client=207-150-162-19.static.sagonet.net[207.150.162.19] Dec 2 16:34:12 hsnew postfix/cleanup[3702]: 3A4F6982AA: message-id=<[EMAIL PROTECTED]> Dec 2 16:34:12 hsnew postfix/qmgr[3666]: 3A4F6982AA: from=<[EMAIL PROTECTED]>, size=362, nrcpt=1 (queue active) Dec 2 16:34:12 hsnew postfix/smtpd[3697]: disconnect from 207-150-162-19.static.sagonet.net[207.150.162.19] Dec 2 16:34:15 hsnew postfix/smtpd[3706]: connect from localhost[127.0.0.1] Dec 2 16:34:16 hsnew postfix/smtpd[3706]: EAF0A982BB: client=localhost[127.0.0.1] Dec 2 16:34:16 hsnew postfix/cleanup[3702]: EAF0A982BB: message-id=<[EMAIL PROTECTED]> Dec 2 16:34:16 hsnew postfix/smtpd[3706]: disconnect from localhost[127.0.0.1] Dec 2 16:34:16 hsnew postfix/qmgr[3666]: EAF0A982BB: from=<[EMAIL PROTECTED]>, size=805, nrcpt=1 (queue active) Dec 2 16:34:16 hsnew cyrus/master[3708]: about to exec /usr/lib/cyrus/bin/lmtpd Dec 2 16:34:16 hsnew amavis[3311]: (03311-01) Passed BAD-HEADER, [207.150.162.19] [207.150.162.19] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, mail_id: NHfrTekZSsR4, Hits: 4.594, queued_as: EAF0A982BB, 3522 ms Dec 2 16:34:16 hsnew postfix/lmtp[3703]: 3A4F6982AA: to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.9, delays=0.08/0.03/0.76/3.1, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=03311-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as EAF0A982BB) Dec 2 16:34:16 hsnew postfix/qmgr[3666]: 3A4F6982AA: removed Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: executed Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: accepted connection Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: lmtp connection preauth'd as postman Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_check: <[EMAIL PROTECTED]> rs-labs.es!user.roman 0 Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_check: <[EMAIL PROTECTED]> rs-labs.es!user.roman 0 Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: starting txn 2147484444 Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: committing txn 2147484444 Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_mark: <[EMAIL PROTECTED]> rs-labs.es!user.roman 1228232056 134537227 Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: Delivered: <[EMAIL PROTECTED]> to mailbox: rs-labs.es!user.roman Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: starting txn 2147484445 Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: committing txn 2147484445 Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_mark: <[EMAIL PROTECTED]> [EMAIL PROTECTED] 1228232056 0 Dec 2 16:34:16 hsnew postfix/lmtp[3707]: EAF0A982BB: to=<[EMAIL PROTECTED]>, relay=hsnew.rs-labs.es[/private/cyrus], delay=0.41, delays=0.12/0.01/0.14/0.13, dsn=2.1.5, status=sent (250 2.1.5 Ok) Dec 2 16:34:16 hsnew postfix/qmgr[3666]: EAF0A982BB: removed Why is the mail not being rejected due to reject_unauthenticated_sender_login_mismatch? I must have a silly bug but I couldn't find it... :-( TIA. -Román
