Hi Matus,
Thank you for your e-mail. I thought I had searched for similar
discussions beforehand but obviously I had not done a very thorough job.
Yes, exactly the same observations.
"check_sender_access texthash:/etc/postfix/restricted_senders" might be
a suitable workaround for you too (or inline or if happy to compile the
file using postmap for better performance at use, use hash instead of
texthash) with:
example.com REJECT
myotherexample.com REJECT
..and apply that only to your Port 25 (in master.cf via the -o syntax
e.g. "-o smtpd_sender_restrictions=$mta_sender_restrictions").
Effectively banning MAIL FROM from those domains via that port only.
I was just looking for something more standard without hardcoding
domains and thought the SASL is enabled criteria is missing that SASL
could be enabled just on another port (I suspect the designed behaviour
was for where someone accidentally turned off SASL but forgot to change
the policies and thus would lock out any new mail).
As this was discussed before by you, it sounds like the limitations are
already known and I have not discovered anything particularly new or
clever.
Kind Regards,
Matthew
On 22/06/2025 12:57, Matus UHLAR - fantomas via Postfix-users wrote:
On 22.06.25 12:44, Matthew via Postfix-users wrote:
I'm a new user and during my testing I noticed some potentially
unintended behaviour with "reject_sender_login_mismatch" when SASL is
disabled on a master.cf port that leads to the ability to MAIL FROM
spoof senders on my domain to recipients within my domain.
I've had the same problem 3 years ago, perhaps you can stury the
thread we were discussing this:
https://marc.info/?t=165168138100003&r=1&w=2
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
