Janis:
> Hello,
>
> This is my first question to mailing list, so i hope i get this right.
>
> I think it is better to describe general architecture first and then
> what i am trying to achieve.
>
> This Postfix instance is configured to use Dovecot SASL for LOGIN
> function and permissions. That part works. SASL auth is configured so
> that username is an email address. Only virtual mailboxes are used, but
> in this instance it is not that important, since the question is only
> about outgoing mail restrictions.
>
> The problem is that authenticated senders can send "mail from" from
> whatever they please if i do not place any restrictions. Thus i decided
> to use:
> smtp_sender_restrictions = reject_sender_login_mismatch
>
> It limits "mail from" as expected, but the problem is that i must
> "duplicate" kind of what i already have in Dovecot user database in
> $smtpd_sender_login_maps file. I am using hash type for
> $smtpd_sender_login_maps. It works very well with allowing to use "alias
> e-mail" address as "mail from" as well.
You could use regular expressions:
/etc/postfix/main.cf:
smtpd_sender_login_maps = pcre:/etc/postfix/sender_login
/etc/postfix/sender_login:
# each sender is 'owned' by the login with the same name.
/^(\S+@\S+)$/ $1
As long as the SASL login names are validated by trusted code,
this should be safe.
Wietse
> What i would like to achieve is to permit sender to set "mail from" the
> same value as his SASL auth username or some specially allowed "alias
> e-mail" addresses that are defined somewhere. For example, if user1 is
> allowed to respond for his company, he would authenticate as
> us...@domain.tld and could set "mail from" 1) us...@domain.tld or 2)
> i...@domain.tld.
>
> I can achieve this at the moment by writing both lines in login_maps
> file, but it feels kind of wrong way to do things. Is there a way not to
> duplicate Dovecot usernames and permit 1st case restriction in "mail
> from" something like permit_sasl_username_as_mail_from?
>
> I was looking directly at
> http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions, but
> none of the options seemed right for this use case. Maybe if i scratched
> my head a bit, i could come up with some "tricky" SQL query as a
> workaround and use reject_sender_login_mismatch, but maybe i have just
> overlooked some simple setting, thus i ask for any input.
>
> Thank you!
>
> Best wishes,
> Janis
>
>
>
