----- Message from Wietse Venema <[email protected]> ---------
Date: Sat, 31 Jul 2021 09:45:00 -0400 (EDT)
From: Wietse Venema <[email protected]>
Reply-To: Postfix users <[email protected]>
Subject: Re: reject_sender_login_mismatch
To: Postfix users <[email protected]>
Simon Wilson:
A quick query on?smtpd_sender_login_maps format.
I have this working well on port 587 to ensure that specified
SASL-authenticated users only can send emails from their owned email
addresses.
So I have in a file 'controlled_envelope_senders' this, as an example:
@simonandkate.net simon
...and I have reject_sender_login_mismatch set in master.cf for port
587. Then in main.cf:
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
Perfect...
I am disabling a couple of email addresses as a first step along the
way to deleting some accounts and domain names. I've disabled inbound
emails fine, and now need to prevent the users sending, while still
being able to access webmail for a few days.
The question:
Within the smtpd_sender_login_maps file, is an empty RH side valid so
*NO* SASL users can send from that (domain) address? Or does it need
to have *something* on the RHS?
Maps can't return an empty result but you have other options:
1) Return a bogus login name. This is perhaps the easiest.
2) Return 'not found'. When you use a pcre map instead of hash, you
have negative patterns, IF/ELSE/ENDIF.
See http://www.postfix.org/pcre_table.5.html. This will not
search by "@domain" use bare "user", only with the full sender
address.
Wietse
Just what I needed to know, thanks Wietse. I'm just using a hashed
file, so will go with the simple option 1.
I've put my login in there for now, but perhaps a "disabled" or
something along those lines will be more intuitive.
Thanks again.
--
Simon Wilson
M: 0400 12 11 16
