Roman Medina-Heigl Hernandez escribió: > DJ Lucas escribió: >>> Return-Path: <[EMAIL PROTECTED]> >>> X-Original-To: [EMAIL PROTECTED] >>> Delivered-To: [EMAIL PROTECTED] >>> ... >>> Received: from gangotri.ubuntu.com (localhost.localdomain [127.0.0.1]) >>> by gangotri.ubuntu.com (Postfix) with ESMTP id 0C222318376 >>> for <[EMAIL PROTECTED]>; Fri, 28 Jul 2006 04:10:09 +0100 (BST) >>> From: RoMaNSoFt <[EMAIL PROTECTED]> >>> >> Maybe I'm incorrect, but I believe there was a subtle misunderstanding >> in the above conversation. The From: header is not the same as MAIL >> FROM: command in smtp transaction. MAIL FROM for this message was >> [EMAIL PROTECTED] Feel fee to find that message in your logs and > > Thank you for the correction, you are right: my example is wrong but that > doesn't change the fact we were discussing since Noel and I were always > referring to the "mail from" (i.e. the sender). If some silly ticket system > spoofs the "From" header, there is a good chance that it spoofs the "mail > from" too... > >> verify. Anyway, the Postfix directive you are looking for is >> "reject_unauthenticated_sender_login_mismatch". >> http://www.postfix.org/postconf.5.html#reject_unauthenticated_sender_login_mismatch > > Yes, I think that's the directive I was looking for. > >> That said, cheap web scripts often do use the recipient's address in the >> transaction. Latest complaint I had was from some star rewards thing >> for frequent visits to a restaurant (for which I promptly replied: >> "choose a different restaurant" ;-) ). >> >> Take the following two manual transactions as an example with the smtpd >> sender restriction above (only slightly altered to avoid giving away >> unnecessary info and posting a real address in plain text on the internet): >> >> [EMAIL PROTECTED] ~]# telnet mail.lucasit.com 25 >> Trying 192.168.xxx.xxx... >> Connected to mail.lucasit.com. >> Escape character is '^]'. >> 220 postal.lucasit.com ESMTP Postfix >> ehlo somehost.lucasit.com >> 250-postal.lucasit.com >> 250-PIPELINING > > Isn't a good idea to disable pipelining? (many people recommends it to > reduce spam). > >> 250-SIZE 10240000 >> 250-VRFY >> 250-ETRN >> 250-STARTTLS >> 250-ENHANCEDSTATUSCODES >> 250-8BITMIME >> 250 DSN >> MAIL FROM: [EMAIL PROTECTED] >> 250 2.1.0 Ok >> RCPT TO: [EMAIL PROTECTED] >> 553 5.7.1 <[EMAIL PROTECTED]>: Sender address rejected: not logged in > > Nice. That's what I'd like to set-up. Nevertheless, I tried to reproduce in > a test system, with no luck :-(. It should be trivial, but I cannot find > the error. Could you help me? > > My setup is quite simple (using virtual domains and Amavis to "mark" > virus/spam messages): > > hsnew:/etc/postfix# postconf -n > alias_maps = hash:/etc/aliases > append_dot_mydomain = no > biff = no > broken_sasl_auth_clients = yes > command_directory = /usr/sbin > config_directory = /etc/postfix > content_filter = amavisfeed:[127.0.0.1]:10024 > daemon_directory = /usr/lib/postfix > delay_warning_time = 4 > disable_vrfy_command = yes > mail_name = mxhs > mailbox_command = procmail -a "$EXTENSION" > message_size_limit = 28311552 > mydestination = $myhostname localhost localhost.$mydomain > myhostname = hsnew.rs-labs.es > mynetworks = 127.0.0.2, 127.0.0.3 > myorigin = $myhostname > recipient_delimiter = + > relay_domains = hash:/etc/postfix/listas hash:/etc/postfix/mxbackup > relocated_maps = hash:/etc/postfix/relocated > show_user_unknown_table_name = no > smtp_sasl_auth_enable = yes > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > smtp_sasl_security_options = noplaintext > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache > smtpd_recipient_restrictions = reject_non_fqdn_recipient, > permit_mynetworks, permit_sasl_authenticated, > reject_unauthenticated_sender_login_mismatch, check_recipient_access > hash:/etc/postfix/recipient_access_non_trusted, reject_unauth_destination > smtpd_sasl_auth_enable = yes > smtpd_sasl_path = smtpd > smtpd_sasl_security_options = noanonymous > smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem > smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key > smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache > smtpd_use_tls = yes > transport_maps = hash:/etc/postfix/listas > virtual_alias_maps = hash:/etc/postfix/valias > virtual_mailbox_domains = hash:/etc/postfix/vdomain > virtual_mailbox_maps = hash:/etc/postfix/vuser > virtual_transport = lmtp:unix:/private/cyrus > hsnew:/etc/postfix# cat vuser > [EMAIL PROTECTED] whatever > hsnew:/etc/postfix# cat vdomain > rs-labs.es whatever > hsnew:/etc/postfix# > > > From another host ("not trusted"), I'm sending a very simple mail: > [EMAIL PROTECTED]:/tmp# cat mail > helo k > mail from:[EMAIL PROTECTED] > rcpt to:[EMAIL PROTECTED] > data > subject: prueba > . > quit > [EMAIL PROTECTED]:/tmp# nc hsnew.rs-labs.es 25 <mail > 220 hsnew.rs-labs.es ESMTP Sendmail 8.14.2/8.14.1 > 250 hsnew.rs-labs.es > 250 2.1.0 Ok > 250 2.1.5 Ok > 354 End data with <CR><LF>.<CR><LF> > 250 2.0.0 Ok: queued as 3A4F6982AA > 221 2.0.0 Bye > [EMAIL PROTECTED]:/tmp# > > > My receiving MTA logs the following: > > Dec 2 16:34:12 hsnew postfix/smtpd[3697]: connect from > 207-150-162-19.static.sagonet.net[207.150.162.19] > Dec 2 16:34:12 hsnew postfix/smtpd[3697]: 3A4F6982AA: > client=207-150-162-19.static.sagonet.net[207.150.162.19] > Dec 2 16:34:12 hsnew postfix/cleanup[3702]: 3A4F6982AA: > message-id=<[EMAIL PROTECTED]> > Dec 2 16:34:12 hsnew postfix/qmgr[3666]: 3A4F6982AA: > from=<[EMAIL PROTECTED]>, size=362, nrcpt=1 (queue active) > Dec 2 16:34:12 hsnew postfix/smtpd[3697]: disconnect from > 207-150-162-19.static.sagonet.net[207.150.162.19] > Dec 2 16:34:15 hsnew postfix/smtpd[3706]: connect from localhost[127.0.0.1] > Dec 2 16:34:16 hsnew postfix/smtpd[3706]: EAF0A982BB: > client=localhost[127.0.0.1] > Dec 2 16:34:16 hsnew postfix/cleanup[3702]: EAF0A982BB: > message-id=<[EMAIL PROTECTED]> > Dec 2 16:34:16 hsnew postfix/smtpd[3706]: disconnect from > localhost[127.0.0.1] > Dec 2 16:34:16 hsnew postfix/qmgr[3666]: EAF0A982BB: > from=<[EMAIL PROTECTED]>, size=805, nrcpt=1 (queue active) > Dec 2 16:34:16 hsnew cyrus/master[3708]: about to exec > /usr/lib/cyrus/bin/lmtpd > Dec 2 16:34:16 hsnew amavis[3311]: (03311-01) Passed BAD-HEADER, > [207.150.162.19] [207.150.162.19] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, > Message-ID: <[EMAIL PROTECTED]>, mail_id: > NHfrTekZSsR4, Hits: 4.594, queued_as: EAF0A982BB, 3522 ms > Dec 2 16:34:16 hsnew postfix/lmtp[3703]: 3A4F6982AA: > to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.9, > delays=0.08/0.03/0.76/3.1, dsn=2.6.0, status=sent (250 2.6.0 Ok, > id=03311-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as EAF0A982BB) > Dec 2 16:34:16 hsnew postfix/qmgr[3666]: 3A4F6982AA: removed > Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: executed > Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: accepted connection > Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: lmtp connection preauth'd as > postman > Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_check: > <[EMAIL PROTECTED]> rs-labs.es!user.roman 0 > Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_check: > <[EMAIL PROTECTED]> rs-labs.es!user.roman 0 > Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: starting txn 2147484444 > Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: committing txn 2147484444 > Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_mark: > <[EMAIL PROTECTED]> rs-labs.es!user.roman > 1228232056 134537227 > Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: Delivered: > <[EMAIL PROTECTED]> to mailbox: rs-labs.es!user.roman > Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: starting txn 2147484445 > Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: committing txn 2147484445 > Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_mark: > <[EMAIL PROTECTED]> [EMAIL PROTECTED] > 1228232056 0 > Dec 2 16:34:16 hsnew postfix/lmtp[3707]: EAF0A982BB: > to=<[EMAIL PROTECTED]>, relay=hsnew.rs-labs.es[/private/cyrus], delay=0.41, > delays=0.12/0.01/0.14/0.13, dsn=2.1.5, status=sent (250 2.1.5 Ok) > Dec 2 16:34:16 hsnew postfix/qmgr[3666]: EAF0A982BB: removed > > Why is the mail not being rejected due to > reject_unauthenticated_sender_login_mismatch? I must have a silly bug but I > couldn't find it... :-(
I got to solve it by: smtpd_sender_login_maps = $virtual_mailbox_maps But it seems tricky, since you have to explicitly define a login map... I think (please, correct me if I'm wrong) the point is: "if you don't define $smtpd_sender_login_maps, Postfix doesn't know where a "login mismatch" could exist. Yes, it's true but: - wouldn't it be clever to assume SASL login should be equal to the sender, if not explicitly defined otherwise? (so no login map is necessary, except when login users are different from sender). - SASL works ok without defining $smtpd_sender_login_maps so you can perfectly differentiate "authenticated_sender" vs "unauthenticated_sender", without having any map? Why is it necessary to define $smtpd_sender_login_maps? It's confussing... Finally, if you have to define $smtpd_sender_login_maps, it would be equivalent to use my former propposed method, with check_sender_access (see my first post on this thread and the second one by Noel), in the sense that you have to create an extra db file, and even worse than my first solution, since first one seems more restrictive (it could reject [EMAIL PROTECTED] -> [EMAIL PROTECTED], while second one only can reject [EMAIL PROTECTED] -> [EMAIL PROTECTED], because only valid users are included in $virtual_mailbox_maps). I'd like hearing from you... Cheers, -Román
