From: "Andrew G. Grant" on
I just got smtpd_sender_maps to work with smtpd_sender_restrictions using reject_authenticated_sender_login_mismatch.

While researching how that worked, I saw information indicating that you could apply the reject_sender_login_mismatch to the smtpd_recipient_restrictions.

Can someone explain how that would work? I am picturing mail being delivered to one of my users from the internet. How does my mail server know if the sender, of a message from outside of my domain, has a login mismatch?

Thank you in advance for your help wrapping my brain around this concept.

From: Jeroen Geilman on
>
> I just got smtpd_sender_maps to work with smtpd_sender_restrictions using reject_authenticated_sender_login_mismatch.
>
> While researching how that worked, I saw information indicating that you could apply the reject_sender_login_mismatch to the smtpd_recipient_restrictions.
>
> Can someone explain how that would work? I am picturing mail being delivered to one of my users from the internet. How does my mail server know if the sender, of a message from outside of my domain, has a login mismatch?
>
> Thank you in advance for your help wrapping my brain around this concept.
>
>

smtpd_recipient_restrictions are applied at the RCPT TO: stage (that is,
after connection, HELO, and MAIL FROM).
Where you apply a restriction is only limited by the /first/ stage it
may appear in - all restrictions may appear in
smtpd_recipient_restrictions, since it is the last one.

Of course, this setting has no effect for non-authenticated connections.

J.

From: Wietse Venema on
Andrew G. Grant:
> I just got smtpd_sender_maps to work with smtpd_sender_restrictions
> using reject_authenticated_sender_login_mismatch.
>
> While researching how that worked, I saw information indicating
> that you could apply the reject_sender_login_mismatch to the
> smtpd_recipient_restrictions.
>
> Can someone explain how that would work? I am picturing mail being
> delivered to one of my users from the internet. How does my mail
> server know if the sender, of a message from outside of my domain,
> has a login mismatch?

Thus is where you use reject_authenticated_sender_login_mismatch.
Instead of using the imagination, this is what the manpage says:

reject_authenticated_sender_login_mismatch
Enforces the reject_sender_login_mismatch restriction for
authenticated clients only. This feature is available in Postfix
version 2.1 and later.

And:

reject_sender_login_mismatch
Reject the request when $smtpd_sender_login_maps specifies an
owner for the MAIL FROM address, but the client is not (SASL)
logged in as that MAIL FROM address owner; or when the client is
(SASL) logged in, but the client login name doesn't own the MAIL
FROM address according to $smtpd_sender_login_maps.


Wietse

From: "Andrew G. Grant" on
Thank you Wietse. That was very helpful and I believe I can get this done now.

——————————————————————————————
Andrew Grant
Information Systems Administrator
Email: andrew.grant(a)caddock.com

Caddock Electronics, Inc.
High Performance Resistor Products
Web: www.caddock.com

17271 North Umpqua Hwy.
Roseburg, OR 97470 USA
Ph: 541-496-0700 Ext 5544
Fax: 541-496-0479

On Jun 15, 2010, at 4:24 PM, Wietse Venema wrote:

Andrew G. Grant:
> I just got smtpd_sender_maps to work with smtpd_sender_restrictions
> using reject_authenticated_sender_login_mismatch.
>
> While researching how that worked, I saw information indicating
> that you could apply the reject_sender_login_mismatch to the
> smtpd_recipient_restrictions.
>
> Can someone explain how that would work? I am picturing mail being
> delivered to one of my users from the internet. How does my mail
> server know if the sender, of a message from outside of my domain,
> has a login mismatch?

Thus is where you use reject_authenticated_sender_login_mismatch.
Instead of using the imagination, this is what the manpage says:

reject_authenticated_sender_login_mismatch
Enforces the reject_sender_login_mismatch restriction for
authenticated clients only. This feature is available in Postfix
version 2.1 and later.

And:

reject_sender_login_mismatch
Reject the request when $smtpd_sender_login_maps specifies an
owner for the MAIL FROM address, but the client is not (SASL)
logged in as that MAIL FROM address owner; or when the client is
(SASL) logged in, but the client login name doesn't own the MAIL
FROM address according to $smtpd_sender_login_maps.


Wietse