On 21.07.2016 23:40, A. Schulze wrote:
Am 20.07.2016 um 18:03 schrieb Wietse Venema:
In Postfix: require that MAIL FROM matches SASL login
In Milter: require that MAIL FROM matches From: header.
I took that suggestion and had a deeper look in OpenDKIM today.
Parsing RFC5322.From /is/ complicated. But for my feeling OpenDKIM
does that job very well.
OpenDKIM has the ability to do such checks in a very convenient way.
We may do lookup in static files, databases and even LDAP.
I would like to see it very similar to
http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
Besides "xxx_end_of_data_restrictions", "rfc5322_from_login_maps" was
one of the key aspects of my original question ;)
Lookup one RFC5322.From (Key) and check if one or more SASL Users
(Values) are authorized.
But, what are the use-cases?
- RFC3522.From matches exact sasl_user
Implies that your users authenticate with their email address only ->
bijective mapping, IMO this would be perfect for human senders with only
one email address. In this use cases, a person would not be able to use
additional/alias addresses as sender.
- RFC5322.From domain matches sasl users domain-part
Sounds useful if you want to "soften" a strict submission-policy.
Downside: within same domain, sender A will still be able to send as
sender B. But, the core statement of my original question was to prevent
this ;)
- RFC5322.From is authorized by one ore more sasl users
Could be used for automated application/script based senders like
[email protected] -> surjective mapping of sasl-user and sender-address.
Further this could be a solution for the flexibility problem of use-case
"RFC3522.From matches exact sasl_user".
...
Andreas
Thanx,
Dominik
