reject_authenticated_sender_login_mismatch

Prev: Tie a mail with log files?
Next: TLS - Certificate not Trusted

From: Michael on 11 Jan 2010 02:44

---

As follows

smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
check_recipient_access hash:/etc/postfix/access,
permit_mynetworks,
reject_authenticated_sender_login_mismatch
mysql:/etc/postfix/mysql-sender-access.cf
reject_unauth_destination

mysql-sender-access.cf

hosts = localhost
user = USER
password = PASS
dbname = system

query = SELECT username FROM mailboxes WHERE email='%s' AND active='1'

The error returned is:

RECEIVER ADDRESS (The server responded: "5.7.1 <SENDER ADDRESS>: Sender
address rejected: not owned by user SASL USER")

What;s going on? Running the query directly against the SQL database returns
the desired result.

From: Barney Desmond on 11 Jan 2010 11:11

---

2010/1/11 Michael <pfml(a)nettrust.co.nz>:
> As follows
>
> smtpd_recipient_restrictions =
> ...
>        check_recipient_access hash:/etc/postfix/access,
>        permit_mynetworks,
>    reject_authenticated_sender_login_mismatch
> mysql:/etc/postfix/mysql-sender-access.cf
>        reject_unauth_destination
> ...
> RECEIVER ADDRESS (The server responded: "5.7.1 <SENDER ADDRESS>: Sender
> address rejected: not owned by user SASL USER")
>
> What;s going on? Running the query directly against the SQL database returns
> the desired result.

I've not used this function before myself, but my reading of the docs
indicates you might've misinterpreted the correct usage.

I hopped through these three in order:
http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch
http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

You haven't posted the output of `postconf -n`, so I don't know if
your settings are correct, but I suspect you're needing something
like:

smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
check_recipient_access hash:/etc/postfix/access,
permit_mynetworks,
reject_authenticated_sender_login_mismatch,
reject_unauth_destination

smtpd_sender_login_maps = mysql:/etc/postfix/mysql-sender-access.cf

reject_authenticated_sender_login_mismatch doesn't take a type:table
mapping, it just makes use of one defined elsewhere.

From: mouss on 11 Jan 2010 17:58

---

Michael a �crit :
> As follows
>
> smtpd_recipient_restrictions =
> reject_invalid_hostname,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_unauth_pipelining,

useless. RCPT TO is an "asynchronous" command, so there is no
"unauth_pipelining" at this stage. read the pipelining RFC for more.

> check_recipient_access hash:/etc/postfix/access,

Avoid check_foo_access before reject_unauth_destination. an error will
make you an open relay. what are you tryng to do with that?

> permit_mynetworks,
> reject_authenticated_sender_login_mismatch
> mysql:/etc/postfix/mysql-sender-access.cf

As Barney pointed out, errax syntor (syntax error).

you want something like:

smtpd_sender_login_maps = mysql:/etc/postfix/mysql-sender-access.cf
smtpd_sender_restrictions =
reject_authenticated_sender_login_mismatch

(there's no point polluting smtpd_recipient_restrictions with this).


PS. next time, show output of 'postconf -n' instead of personally
selected main.cf snippets.

> [snip]

 | 
Pages: 1
Prev: Tie a mail with log files?
Next: TLS - Certificate not Trusted