Am 13.04.2012 22:35, schrieb Tom Hendrikx:
> Note that Reindls point is true: anyone with a valid sasl account would > be able to activate an autoresponder for any other user. If a web gui is > the right solution depends on your use case, but issues will arise > without more restrictions. not only authenticated ones even random dilvery can happen if you do not have a spoof-protection enabled > As autoresponder seems to require the envelope_sender to be the same as > the one you're configuring autoresponder for, this might be a nice job > for reject_sender_login_mismatch. See > http://www.postfix.org/SASL_README.html#server_sasl_authz but as above statet this does not help if any forged envelope sender is passed from outside which would bypass "reject_sender_login_mismatch" and SASL at all also if you have hosts in "mynetwork" which is usually excluded from most restrictions you may have a open door in my opinion this is simply dangerous and broken by design - a envelope sender is not any authentication
signature.asc
Description: OpenPGP digital signature
