Prev: delivery temporarily suspended
Next: Milter SMFIC_HEADER failure (huh, due to success? :-)
From: ram on 17 Mar 2010 10:11
I need to implement smtpd login maps on our postfix servers so as
minimize the chances of a compromised client machine screwing our smtp
relay.

But this cannot be done overnight. There are various clients who use
different envelope sender domains (for perfectly legitimate reasons) and
I cannot get a mapping for all such entries.

How can I use reject_authenticated_sender_login_mismatch only for some
auth logins. Especially those who insist on using some junk mailserver
in their offices and cannot sufficiently secure their network


So I want to say
if(sasl authenticated) {
if(suspect client login) {
reject_authenticated_sender_login_mismatch
} else {
allow sender_login_mismatch
}
}


Thanks
Ram

From: Wietse Venema on 17 Mar 2010 11:48
ram:
> I need to implement smtpd login maps on our postfix servers so as
> minimize the chances of a compromised client machine screwing our smtp
> relay.
>
> But this cannot be done overnight. There are various clients who use
> different envelope sender domains (for perfectly legitimate reasons) and
> I cannot get a mapping for all such entries.
>
> How can I use reject_authenticated_sender_login_mismatch only for some
> auth logins. Especially those who insist on using some junk mailserver
> in their offices and cannot sufficiently secure their network
>
>
> So I want to say
> if(sasl authenticated) {
> if(suspect client login) {
> reject_authenticated_sender_login_mismatch

Currently it can be done with a policy daemon (the protocol provides
both the sasl login and the sender address).

To do this in smtpd, the obvious approach is to add an access map
feature that searches a table by the SASL login name.

/etc/postfix/main.cf:
smtpd_something_restrictions =
...
check_sasl_access hash:/etc/postfix/sasl_access
...

/etc/postfix/sasl_access:
user1(a)example.com reject_sender_login_mismatch

But the more *general* solution would be a way to say:

check_access attribute_name hash:/etc/postfix/access_table

Where "attribute_name" can be sasl_username, ccert_fingerprint, or
any other smtpd policy protocol attribute name.

If I have time then I would do that, and solve a whole bunch of
future feature requests.

Wietse

From: mouss on 17 Mar 2010 18:15
ram a �crit :
> I need to implement smtpd login maps on our postfix servers so as
> minimize the chances of a compromised client machine screwing our smtp
> relay.

auth is good, but it's not enough. A compromised client can
authenticate. you still need rate limits and log parsing. and if so,
authentication becomes secondary...

>
> But this cannot be done overnight. There are various clients who use
> different envelope sender domains (for perfectly legitimate reasons) and
> I cannot get a mapping for all such entries.
>
> How can I use reject_authenticated_sender_login_mismatch only for some
> auth logins. Especially those who insist on using some junk mailserver
> in their offices and cannot sufficiently secure their network
>

you can make it a result of a check_access_*.

but you'd better provide two different access types. a "strict" one and
an "old" one. then enoucrage users to move to the strict one (with
incentives...).

>
> So I want to say
> if(sasl authenticated) {
> if(suspect client login) {
> reject_authenticated_sender_login_mismatch
> } else {
> allow sender_login_mismatch
> }
> }
>
>
> Thanks
> Ram
>
>
>
>
>
>

 | 
Pages: 1
Prev: delivery temporarily suspended
Next: Milter SMFIC_HEADER failure (huh, due to success? :-)