On Monday, June 16, 2014 00:53:14 Eliezer Croitoru wrote: > On 06/15/2014 11:11 PM, li...@rhsoft.net wrote: > > what you describe is*the minimum* requirement of a sane MTA > > you must not allow senders you would not accept incoming messages > > and no - there are no exceptions for whatever user > > I am not sure you understand it but there is little doubt we are talking > about the same thing or not. > The postix server is allowing for now to relay any email by from any > email if the user is locally authenticated. > Others are just blocked. > A local user can send as itself... and as otherusern...@google.com. > Other servers might not like it and will enforce SPF the same way this > server uses it. > I want to force only on authenticated users (since there are other > automated systems that rely on the service) a rule that will force them > to only use the local domains in the "From:" header of the mail body. > For now I enforce rate limiting and other means of enforcement on the > service usage to prevent and detect abnormal usage and abuse of the > local network SMTP relay service.(which works so good that people who > abuse it are stuck in one sec to more then 24 hours no matter if they > scream shout or anything else...) > > For now the users and authenticate and send a mail as "u...@google.com" > or "u...@hotmail.com" since the SPF rules of these providers allow a > SOFT SPF enforcement. > I would like to harden the service one level up and not allow this > unless strictly allowed by the admin of the service not related to SPF.
If I understand what you're after, reject_authenticated_sender_login_mismatch may well do exactly what you want. Scott K
