* Stephan A. Rickauer <stephan.ricka...@startek.ch>:
> Hi,
>
> i'd like to protect some internal accounts as described at
> http://www.postfix.org/RESTRICTION_CLASS_README.html
>
> Currently, I have the following setup:
>
> smtpd_recipient_restrictions =
> reject_unauth_pipelining
> permit_inet_interfaces
> permit_sasl_authenticated
> reject_non_fqdn_hostname
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_unauth_destination
> reject_invalid_hostname
> check_recipient_access
> hash:/usr/local/etc/postfix/protected_destinations
>
> smtpd_restriction_classes = auth_only
> auth_only =
> permit_sasl_authenticated
> reject
>
> where protected domain says:
> m...@mail.com auth_only
>
> Now the question: In the current setup, all SASL auth'ed users can send
> mail to my protected destinations. Now I want to add a layer, so that
> SASL auth'ed users must also send from a certain domain only.
>
> Or even better: SASL usernames must contain a certain domain.
Take a look at these options documented in postconf(5):
smtpd_sender_login_maps (default: empty)
Optional lookup table with the SASL login names that own sender (MAIL
FROM) addresses.
Specify zero or more "type:table" lookup tables. With lookups from
indexed files such as DB or DBM, or from networked tables such as NIS,
LDAP or SQL, the following search operations are done with a sender
address of u...@domain:
1) u...@domain
This table lookup is always done and has the highest precedence.
2) user
This table lookup is done only when the domain part of the
sender address matches $myorigin, $mydestination, $inet_inter‐
faces or $proxy_interfaces.
3) @domain
This table lookup is done last and has the lowest precedence.
In all cases the result of table lookup must be either "not found" or a
list of SASL login names separated by comma and/or whitespace.
...
reject_authenticated_sender_login_mismatch
Enforces the reject_sender_login_mismatch restriction for
authenticated clients only. This feature is available in Postfix
version 2.1 and later.
...
reject_sender_login_mismatch
Reject the request when $smtpd_sender_login_maps specifies an
owner for the MAIL FROM address, but the client is not (SASL)
logged in as that MAIL FROM address owner; or when the client is
(SASL) logged in, but the client login name doesn't own the MAIL
FROM address according to $smtpd_sender_login_maps.
reject_unauthenticated_sender_login_mismatch
Enforces the reject_sender_login_mismatch restriction for unau‐
thenticated clients only. This feature is available in Postfix
version 2.1 and later.
>
> I've now played for hours without any luck. Any pointers in the right
> direction are really welcomed. Whenever I add another restriction class,
> it seems the first rule wins...
>
> Thanks,
> Stephan
>
--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
