On 2013-03-17 11:05, Ansgar Wiechers wrote: > On 2013-03-17 Per olof Ljungmark wrote: >> We've had a working configuration since a few years where we allow >> authenticated users to relay mail even if the sender address does not >> match a local user and the recipient is non-local. >> >> Now this is about to change. >> >> So, if the sender is *authenticated*: >> >> - from local-user@local-domain to nonlocal@: allowed >> - from nonlocal@ to local-user@local-domain: allowed obviously >> - from nonlocal@ to nonlocal@: disallowed >> >> Currently we have >> >> smtpd_sender_restrictions = >> hash:/usr/local/etc/postfix/access, >> permit_sasl_authenticated, >> permit_mynetworks, >> reject_unknown_sender_domain, >> reject_unauth_destination >> >> All local users are in a ldap table. >> >> Can we use for example "check_sender_access" >> and if the user is authenticated *and* the users email or alias matches >> MAIL FROM in the ldap lookup give it an OK? >> >> reject_sender_login_mismatch I guess is a possible candidate but then >> the problem is MUA's where the user has several incoming accounts but >> just one outgoing server configured and there are quite a few such. >> >> I'm still wading through the Postfix docs trying to get a grip on it but >> if someone already did it I would be very grateful for a piece of >> information... have to admit it feels a bit tricky. > > I'd recommend separating authenticated from unauthenticated submission. > Enable submission (port 587) with authentication required, and remove > permit_sasl_authenticated from the smtpd instance on port 25. For the > submission port you could enable reject_sender_login_mismatch to > restrict senders to their own sender address. If you want them to be > able to use arbitrary addresses for mail sent to local recipients, > but disallow non-local sender addresses for outbound mail, you'll > probably have to use a policy service.
Thank you for the tip. Then I have to figure out how to separate the two rulesets which I yet did not discover in the docs. Unfortunately we do have clients still using port 465 for sending so not sure if it is even possible. No other way to achieve this? Thanks!
