Thank you Viktor. That does in fact stop the email if there is a mismatch.
However, now I cannot send anything as it tells me that I don't own the
email address I am trying to send to.
Can you tell me what it is checking to verify that the User Name
belongs to the Email address the user is sending from?
My sender restrictions look like this:
smtpd_sender_restrictions =
# reject_sender_login_mismatch,
reject_authenticated_sender_login_mismatch,
# reject_unauthenticated_sender_login_mismatch,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
I am currently getting this error in my SMTP logs:
Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: connect from
andrew-grant.mydomain.com[10.1.2.166]
Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: NOQUEUE: reject: RCPT
from andrew-grant.mydomain.com[10.1.2.166]: 553 5.7.1
<andrewgr...@mail.mydomain.com>: Sender address rejected: not owned by user
andrewgrant; from=<andrewgr...@mail.mydomain.com>
to=<andrewgr...@mail.mydomain.com> proto=ESMTP helo=<andrew-grant.mydomain.com>
Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: disconnect from
andrew-grant.mydomain.com[10.1.2.166]
Any thoughts as to what I should look at to verify that my User Name really
does belong to my Email address?
On Jun 15, 2010, at 10:47 AM, Victor Duchovni wrote:
On Tue, Jun 15, 2010 at 09:33:12AM -0700, Andrew G. Grant wrote:
> Hello,
>
> I have configured the default install of Postfix (version 2.5.5) on
> Apple OS X Server 10.6.3 (Darwin 10.3.0). Everything seems to run very
> well with the exception that once authenticated, a user can claim to be
> any valid email address on my network.
This is default behaviour.
> I now have a desire to restrict senders to their email addresses listed
> within Open Directory. I want to make sure that the email address listed
> in OD is the only sending address a user can use based upon their SASL
> credentials.
>
> I tried to reference LDAP using , "smtpd_sender_login_maps =
> ldap:/etc/postfix/ldap-aliases.cf" but I found that Apple did not include
> LDAP as a dictionary type. Here are the types that are supported in
> my build.
>
> postconf -m
> btree
> cidr
> environ
> hash
> pcre
> proxy
> regexp
> static
> unix
That's unfortunate.
> So far, I have tried these items with no success:
> smtp_sender_dependent_authentication = yes
Irrelevant. This is used when sending mail, not when receiving
mail. Turn this off.
>
> smtpd_sender_restrictions =
> permit_sasl_authenticated,
Too late, at this point the SASL authenticated users are in
The restrictions on sender address go *above* this.
> reject_non_fqdn_sender,
> reject_sender_login_mismatch,
> reject_authenticated_sender_login_mismatch,
> reject_unauthenticated_sender_login_mismatch,
> reject
# Not an MX host, authenticated senders only:
#
smtpd_sender_restrictions =
reject_authenticated_sender_login_mismatch,
permit_sasl_authenticated,
reject
--
Viktor.
