Hi,
On Mon, Feb 19, 2018 at 1:31 PM, Viktor Dukhovni
<postfix-us...@dukhovni.org> wrote:
>> On Feb 19, 2018, at 11:35 AM, Alex <mysqlstud...@gmail.com> wrote:
>> In other words, if the sasl_username is alice, I'd like to restrict
>> the envelope sender and From address to only legitimate accounts
>> belonging to that sasl user.
>
> If the account is compromised, you really should deny access until
> the password is changed. That said, you can use:
Yes, we've locked the accounts and are investigating the infected PC
that caused this.
However, I'm still having a problem with the changes you've suggested:
> main.cf:
> indexed = ${default_database_type}:${config_directory}/
> smtpd_restriction_classes = enforce_login
> enforce_login =
> reject_authenticated_sender_login_mismatch,
> permit_sasl_authenticated,
> reject
> smtpd_sender_restrictions =
> check_sasl_access ${indexed}sasl-access
>
> sasl-access:
> # The lookup key is the SASL login name, which may be "user@realm",
> # rather than just "user", specify accordingly.
> #
> alice enforce_login
indexed = ${default_database_type}:${config_directory}/
smtpd_restriction_classes = enforce_login
enforce_login =
reject_authenticated_sender_login_mismatch,
permit_sasl_authenticated,
reject
smtpd_sender_restrictions =
check_sasl_access ${indexed}sasl-access
sasl-access:
user44406 enforce_login
Feb 23 11:57:51 email01 postfix/submission/smtpd[1563]: NOQUEUE:
reject: RCPT from
104-0-120-163.lightspeed.hstntx.sbcglobal.net[104.0.120.163]: 553
5.7.1 <user44...@sub.example.com>: Sender address rejected: not owned
by user user44406; from=<user44...@sub.example.com>
to=<dex...@sbcglobal.net> proto=ESMTP helo=<BWPC1>
I've also tried user44...@sub.example.com, and while it doesn't reject
the sender, it also doesn't block users from being able to send mail
from accounts other than their own. These are non-existent accounts:
From: "mistybarry" <mistyba...@sub.example.com>
To: "abrennan" <abren...@curamsoftware.com>
I'm not sure what other details I can provide to help here.
Thanks,
Alex
