On Wed, May 04, 2022 at 04:49:10PM +0200, Víctor Rubiella Monfort
<vrubie...@cdmon.com> wrote:
> El 4/5/22 a las 12:27, Matus UHLAR - fantomas escribió:
> > On 04.05.22 10:50, Víctor Rubiella Monfort wrote:
> > > I'm working on a map for restrict MAIL_FROM declared on mail based
> > > on sasl user authenticated.
> > >
> > > For example if we want that all accounts for domain @domain1.com can
> > > define MAIL_FROM @domain1.com and @domain2.co accounts:
> > >
> > > @domain1.com accou...@domain1.com accou...@domain2.com
> > > accou...@domain2.com accou...@domain2.com
> > > @domain2.com accou...@domain1.com accou...@domain2.com
> > > accou...@domain2.com accou...@domain2.com
> >
> > > I store this on map file and add this configuration on postfix:
> > >
> > > smtpd_sender_login_maps: hash:/etc/postfix/sender_restrictions_map
> > >
> > > smtpd_sender_restrictions
> > > .....*
> > > reject_sender_login_mismatch*
> > >
> > > This seems works fine, but is incremental complexity of this map
> > > when we add several domains and this domain has several accounts,
> > > for example if we add 4 domains with 20, 30 o 50 accounts each one.
> > >
> > > There are any way to do something like this:
> > >
> > > @domain1.com @domain1.com,@domain2.com,@domain3.com
> > > @domain2.com @domain1.com,@domain2.com,@domain3.com
> > > @domain3.com @domain1.com,@domain2.com,@domain3.com
> > >
> > > The final purpose is restrict domains can be used on MAIL_FROM,
> > > based on domain used on SASL account. Without consider each account.
> >
> > If you want to allow all accounts to specify all addresses in
> > @domain1.com and @domain2.com, why to specify them at all?
> >
> > Not specifying @domain1.com and @domain2.com should not restrict sending
> > mail from those domains at all.
> >
> > for unauthenticated clients, you can deny mail from: using
> > check_sender_access.
> >
> >
> So, because not all domains can use all domains :D, this should be more
> clarify sample
>
> @domain1.com @domain1.com,@domain2.com,@domain3.com
> @domain2.com @domain1.com,@domain2.com,@domain3.com
> @domain3.com @domain1.com,@domain2.com,@domain3.com
> @domain4.com @domain4.com,@domain5.com
> @domain5.com @domain4.com,@domain5.com
Perhaps you could write a little script that takes the above
information and associated user names, and generates the map
file that Postfix needs. That would automate the incremental
complexity.
I've attached an example script and input file that might do.
But it might not exactly match your requirements.
It assumes that every domain in each group of domains
shares all its user names with the other domains
in its group. If that's not the case, it won't work.
Also, I think you might have mistyped your example,
because accou...@domain2.com appears twice in each
map entry, and I'm assuming that one of them is
supposed to be accou...@domain1.com. If not,
then I have misunderstood.
Given this input:
# List domain groups
domain1.com domain2.com domain3.com
domain4.com domain5.com
# List the user names in each domain group
@domain1.com account1 account2
@domain4.com account1 account3
The attached script produces:
@domain1.com accou...@domain1.com accou...@domain1.com accou...@domain2.com
accou...@domain2.com accou...@domain3.com accou...@domain3.com
@domain2.com accou...@domain1.com accou...@domain1.com accou...@domain2.com
accou...@domain2.com accou...@domain3.com accou...@domain3.com
@domain3.com accou...@domain1.com accou...@domain1.com accou...@domain2.com
accou...@domain2.com accou...@domain3.com accou...@domain3.com
@domain4.com accou...@domain4.com accou...@domain4.com accou...@domain5.com
accou...@domain5.com
@domain5.com accou...@domain4.com accou...@domain4.com accou...@domain5.com
accou...@domain5.com
Hopefully, someone will suggest a nice elegant approach instead,
but something like this can work and take the tedium and risk out of it.
cheers,
raf
#!/usr/bin/env perl
use warnings;
use strict;
# mk_sender_restrictions_map
# Make /etc/postfix/sender_restrictions_map
# from /etc/postfix/sender_restrictions_map.in
my $map = '/etc/postfix/sender_restrictions_map';
my $in = $map . '.in';
my @domain_groups; # List of listrefs containing domain names
my %user_names; # Map from @domain to listref containing user names
# Read the config file
open my $fh, '<', $in or die "$0: Failed to open $in for reading: $!\n";
while (<$fh>)
{
# Strip comments, trim, skip blank lines
s/#.*$//, s/^\s+//, s/\s+$//, s/\s+/ /g;
next if /^$/;
# Gather the user names associated with each domain group
# e.g.:
# @domain1.com account1 account2
# @domain4.com account1 account3
if (/^@(\S+)\s+(.*)$/)
{
my ($domain, $users) = ($1, $2);
my @users = split /[,\s]+/, $users;
$user_names{$domain} = [@users];
next;
}
# Gather the domain groups
# e.g.:
# domain1.com domain2.com domain3.com
# domain4.com domain5.com
my @domains = split /[,\s]+/;
push @domain_groups, [@domains];
}
close($fh);
# Generate the map file
open $fh, '>', $map or die "$0: Failed to open $map for writing: $!\n";
for my $group (@domain_groups)
{
my $first = $group->[0];
warn("$0: Skipping $first group (no users defined)\n"), next unless
exists $user_names{$first};
my @users = @{$user_names{$first}};
for my $domain (@$group)
{
print $fh "\@$domain";
for my $email_domain (@$group)
{
print $fh " $_\@$email_domain" for @users;
}
print $fh "\n";
}
}
close($fh);
# vi:set ts=4 sw=4:
# List domain groups
domain1.com domain2.com domain3.com
domain4.com domain5.com
# List the user names in each domain group
@domain1.com account1 account2
@domain4.com account1 account3
