On Fri, Aug 11, 2017 at 11:20:35PM +0200, mj wrote:
> I would like to only allow sasl authenticated relay for specific users, so I
> have in main.cf:
>
> smtpd_relay_restrictions = permit_mynetworks, check_sasl_access
> hash:/etc/postfix/sasl_list,....
>
> and in /etc/postfix/sasl_list:
> username1 OK
> username2 REJECT
> username3 OK
> * REJECT
"*" does not (and is not documented to) work as a wildcard in
indexed file tables.
> However, I want to blacklist ALL my users, except username1 / username3, so
> the line with "*" is ignored.
Far simpler:
indexed = ${default_database_type}:${config_directory}/
smtpd_relay_restrictions =
permit_mynetworks,
check_sasl_access ${indexed}sasl_list,
reject_unauth_destination
/etc/postfix/sasl_list:
username1 OK
username3 OK
With this, you only need to list the permitted users, there's no
need to list the rejects, these are handled by the required "default
deny" restriction at the end.
A user who wants to bypass explicit rejection can just remain
anonymous, by omitting authentication, and be rejected only when
attempting to relay, like everyone else.
--
Viktor.
