ram:
> I need to implement smtpd login maps on our postfix servers so as
> minimize the chances of a compromised client machine screwing our smtp
> relay.
>
> But this cannot be done overnight. There are various clients who use
> different envelope sender domains (for perfectly legitimate reasons) and
> I cannot get a mapping for all such entries.
>
> How can I use reject_authenticated_sender_login_mismatch only for some
> auth logins. Especially those who insist on using some junk mailserver
> in their offices and cannot sufficiently secure their network
>
>
> So I want to say
> if(sasl authenticated) {
> if(suspect client login) {
> reject_authenticated_sender_login_mismatch
Currently it can be done with a policy daemon (the protocol provides
both the sasl login and the sender address).
To do this in smtpd, the obvious approach is to add an access map
feature that searches a table by the SASL login name.
/etc/postfix/main.cf:
smtpd_something_restrictions =
...
check_sasl_access hash:/etc/postfix/sasl_access
...
/etc/postfix/sasl_access:
us...@example.com reject_sender_login_mismatch
But the more *general* solution would be a way to say:
check_access attribute_name hash:/etc/postfix/access_table
Where "attribute_name" can be sasl_username, ccert_fingerprint, or
any other smtpd policy protocol attribute name.
If I have time then I would do that, and solve a whole bunch of
future feature requests.
Wietse
