> Patrick wrote:
>> I have Postfix set up using virtual domains with sasl enabled such that
>> to
>> send an e-mail they need to login with "usern...@domain.com".
>>
>> As it is, however, when a user logs in to the smtpd, they can thereafter
>> treat my mail server as an open relay & forge their "Mail From" address
>> to
>> come from anything, even another user on the mail server.
>>
>> Is it possible to have postfix reject any "Mail From" address which is
>> different than the one they used to log in with?
>
> If you can create a map of which sender address(es) a given SASL login
> may use, you can enforce the above with the following sender restrictions:
>
> - reject_sender_login_mismatch
> - reject_authenticated_sender_login_mismatch
> - reject_unauthenticated_sender_login_mismatch
>
Thanks for your guidance! Got it working:
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
reject_authenticated_sender_login_mismatch
permit_sasl_authenticated
reject_unauth_destination
(etc)
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_sender_login_maps.cf
/etc/postfix/mysql_sender_login_maps.cf:
user = <mysqluser>
password = <mysqlpass>
hosts = 127.0.0.1
dbname = postfix
table = mailbox
select_field = username
where_field = username
which just pulls the username from the database & checks it against the
username. Kinda redundant right? But it does the job ok!
For anyone looking through the mailing list archives, this is a solution
that will work with postfixadmin...
Again, thanks for your help Darren
