On 2022-03-14 03:42, Jaroslaw Rafa wrote:
Looks like a job for identd. You have to set up identd on your server and make the Postfix service on port 2525 to ask identd about the userid of connecting process. If it's not setroubleshoot, you should reject the connection.
That's an interesting idea. Not knowing about identd, I tried to accomplish the same thing with a netfilter rule which seems to work ok: $> nft add rule filter output ip daddr 127.0.0.1 tcp dport 2525 meta skuid != { root, setroubleshoot } reject
Another option may be - if this is possible - to configure setroubleshootd to use a very specific HELO string when connecting and chck for that particular HELO in smtpd_helo_restrictions for service on port 25. In that case HELO string acts as some kind of password. You may also (again if this is possible in setroubleshootd) insert a very specific header into the message and use a milter to reject message if the header is not present.
Those are both very clever ideas, I'll keep that in mind if faced with this problem in the future. For now I think I'm just going to wait for sendmail support to be added, and bypass smtp altogether.
Appreciate the response Thanks -- Matt
