On Tue, Dec 23, 2008 at 05:51:17PM +0100, Durk Strooisma wrote:
> Hi all,
>
> Just wondering whether somebody's having a setup where authentication is
> required for relay access with an extra authorization check. Summerizing:
>
> 1. User wants to send a mail to postfix which needs to be relayed
> 2. So, user identifies him/herself to postfix and authenticates
> 3. After that, postfix looks up the ID (used in step 2) in a list
> of authorized users and if found, finally gives access.
>
> For authentication I've successfully implemented GSSAPI (for SSO) and as
> fallback Kerberos via saslauthd. Even multi-realm authentication works.
>
> For authorization I'm looking for something that does an LDAP lookup. Till
> now, I couldn't find a way to implement this. Which doesn't mean it's
> impossible...
There at this time no built-in access controls based directly on the
SASL user name. You have the following options:
- Restrict one or more sender addresses to specific authenticated
users via smtpd_sender_login_maps + reject_sender_login_mismatch,
and *then* apply access controls on the sender address
(check_sender_access with keys that have associated logins).
- Deploy a policy service that makes authorization decisions based
on the authenticated user.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
