From: ram on 17 Mar 2010 10:11 I need to implement smtpd login maps on our postfix servers so as minimize the chances of a compromised client machine screwing our smtp relay. But this cannot be done overnight. There are various clients who use different envelope sender domains (for perfectly legitimate reasons) and I cannot get a mapping for all such entries. How can I use reject_authenticated_sender_login_mismatch only for some auth logins. Especially those who insist on using some junk mailserver in their offices and cannot sufficiently secure their network So I want to say if(sasl authenticated) { if(suspect client login) { reject_authenticated_sender_login_mismatch } else { allow sender_login_mismatch } } Thanks Ram
From: Wietse Venema on 17 Mar 2010 11:48 ram: > I need to implement smtpd login maps on our postfix servers so as > minimize the chances of a compromised client machine screwing our smtp > relay. > > But this cannot be done overnight. There are various clients who use > different envelope sender domains (for perfectly legitimate reasons) and > I cannot get a mapping for all such entries. > > How can I use reject_authenticated_sender_login_mismatch only for some > auth logins. Especially those who insist on using some junk mailserver > in their offices and cannot sufficiently secure their network > > > So I want to say > if(sasl authenticated) { > if(suspect client login) { > reject_authenticated_sender_login_mismatch Currently it can be done with a policy daemon (the protocol provides both the sasl login and the sender address). To do this in smtpd, the obvious approach is to add an access map feature that searches a table by the SASL login name. /etc/postfix/main.cf: smtpd_something_restrictions = ... check_sasl_access hash:/etc/postfix/sasl_access ... /etc/postfix/sasl_access: user1(a)example.com reject_sender_login_mismatch But the more *general* solution would be a way to say: check_access attribute_name hash:/etc/postfix/access_table Where "attribute_name" can be sasl_username, ccert_fingerprint, or any other smtpd policy protocol attribute name. If I have time then I would do that, and solve a whole bunch of future feature requests. Wietse
From: mouss on 17 Mar 2010 18:15 ram a �crit : > I need to implement smtpd login maps on our postfix servers so as > minimize the chances of a compromised client machine screwing our smtp > relay. auth is good, but it's not enough. A compromised client can authenticate. you still need rate limits and log parsing. and if so, authentication becomes secondary... > > But this cannot be done overnight. There are various clients who use > different envelope sender domains (for perfectly legitimate reasons) and > I cannot get a mapping for all such entries. > > How can I use reject_authenticated_sender_login_mismatch only for some > auth logins. Especially those who insist on using some junk mailserver > in their offices and cannot sufficiently secure their network > you can make it a result of a check_access_*. but you'd better provide two different access types. a "strict" one and an "old" one. then enoucrage users to move to the strict one (with incentives...). > > So I want to say > if(sasl authenticated) { > if(suspect client login) { > reject_authenticated_sender_login_mismatch > } else { > allow sender_login_mismatch > } > } > > > Thanks > Ram > > > > > >
|
Pages: 1 Prev: delivery temporarily suspended Next: Milter SMFIC_HEADER failure (huh, due to success? :-) |