On Mar 10, 2016, at 10:14 AM, Sebastian Nielsen <sebast...@sebbe.eu> wrote: > Create a file containing the following (where yourdomain.com is the domain > your authenticated users send from): > > yourdomain.com: permit_sasl_authenticated, reject > > postmap the file. > > Then use: > smtpd_recipient_restrictions = > ... > check_sender_access hash:/path/to/file > ... > > Note that permit_sasl_authenticated is removed from the recipient > restrictions, because that is handled by check_sender_access. > > This will give two-fold security: > Anyone that is authenticated, MUST use your domain to take advantage of > authentication. Eg, if they send a mail from lets say > some...@someotherdomain.com it will be "relay rejected" even if they > authenticate. > > Also, the second "reject" in the map file, will force-reject anyone that > attempts to use "yourdomain.com" as sender without authentication, causes > everyone who tries to send a mail with your domain as sender, into a local > mailbox, example: > > MAIL FROM: ad...@yourdomain.com > RCPT TO: vic...@yourdomain.com > > That sender will then be rejected with the reason that the sender address is > invalid, UNLESS they authenticate before.
Ay comments on the advisability and utility of this method? At first blush it seems a bit too good to be true. What’s the catch? -- And I just don't care what happens next / looks like freedom but it feels like death / it's something in between, I guess
