On Wed, Dec 03, 2014 at 01:40:12PM +0100, mancyb...@gmail.com wrote:
> Hi, my whole 'smtpd_recipient_restrictions' is:
>
> smtpd_recipient_restrictions =
> permit_mynetworks,
> check_policy_service inet:127.0.0.1:10031,
> check_sender_access hash:/etc/postfix/sender_access,
Note, "check_sender_access" BEFORE "reject_unauth_destination" is
a potential open-relay exposure. Your "sender_access" rules MUST
NOT return any "OK", "permit" or similar results. Perhaps that
logic (together with the sender login mismatch rules) should be
moved to "smtpd_sender_restrictions".
smtpd_sender_restrictions =
permit_mynetworks,
check_sender_access hash:/etc/postfix/sender_access,
reject_sender_login_mismatch,
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
... other restrictions here ...
Similarly, "check_policy_service" is potentially an open-relay
problem if it ever returns OK,
On Wed, Dec 03, 2014 at 01:06:23PM +0100, mancyb...@gmail.com wrote:
> Hi, I'm currently the following two parameters:
>
> reject_authenticated_sender_login_mismatch,
> reject_unauthenticated_sender_login_mismatch,
>
> under 'smtpd_recipient_restrictions'
> to enforce sasl username+password authentication.
The mapping from sender address is to a list of authorized logins,
you could attempt to include the Exchange login with every sender
address it is authorised to use:
# MTAs send bounces, so this is required!
<> exchange.lo...@example.com
j...@example.com joeslo...@example.com, exchange.lo...@example.com
u...@example.com userlo...@example.com, exchange.lo...@example.com
...
but this is fragile, with Postifx 2.11 (upgrade if at all possible):
main.cf:
smtpd_sender_restrictions =
permit_mynetworks,
check_sasl_access hash:/etc/postfix/sasl_access
reject_sender_login_mismatch
sasl_access:
exchange.lo...@example.com OK for any sender address
--
Viktor.
