question on permit_sasl_authenticated and check_sender_access

Tue, 05 May 2009 00:58:41 -0700 

Hi all,

One of the restrictions I perform is the following one: I requires
that mail from outside do not use our domain in their envelope sender.
I performs this check by  inserting in main.cf a "check_sender_access
hash:/etc/postfix/not_our_domains_as_sender" line with the map
containing our domains.

What seems to happen is that some providers transparently send emails
through their own smtp server instead of allowing our users to use the
configured smtp server. The check_sender_access check is after
permit_sasl_authenticated with the idea  that the request would be
permittted when the client is successfully authenticated, thinking
that it would do the trick (afterall, the user submits a username and
a password which are corrects) but still the email is blocked by the
check_sender_access control.

>From the postfix log:
May  5 00:42:09 whale postfix/smtpd[2600]: NOQUEUE: reject: RCPT from
ev-217-129-81-154.netvisao.pt[217.129.81.154]: 554 <j.p
ino...@itcilo.org>: Sender address rejected: Do not use our domain in
your envelope sender; from=<j.pino...@itcilo.org> to=<n
.cas...@itcilo.org> proto=ESMTP helo=<JosPinotesPC>

Here are the relevant lines from  the postfix configuration:

whale:/etc/postfix # postconf -n | grep smtpd
smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_sender_domain,   reject_unknown_recipient_domain,        
check_client_access
hash:/etc/postfix/internal_server_ips   permit_mynetworks,      
permit_sasl_authenticated,
       reject_unauth_destination,       check_client_access
hash:/etc/postfix/helo_whitelist        check_sender_access
hash:/etc/postfix/not_our_domains_as_sender
reject_non_fqdn_hostname,
reject_invalid_hostname,        reject_unlisted_recipient,
check_helo_access hash:/etc/postfix/helo_access,        check_policy_service
inet:127.0.0.1:2501     permit
smtpd_restriction_classes = must_be_valid_sender
smtpd_sasl_auth_enable = yes

It's not clear what I should/could do to solve this problem. Any
advice would be appreciated.

Regards,

Gaël

Reply via email to