Question regarding smtpd_sender_login

Discussion:

Question regarding smtpd_sender_login_maps

(too old to reply)

s***@gmx.net

2007-08-29 17:57:39 UTC

Hi list

I have a question regarding smtpd_sender_login_maps. If I understand the documentation correctly then the maps are queried up to 3 times (***@domain, user and @domain) per address. The "user" lookup is done with the restrictions mentioned in the documentation.

The lookup tables have following structure (correct me if I am wrong):
<MAIL FROM ADDRESS> <OWNER>

Now my questions:
- Can I return a wildcard address for owner?
- If I can return wildcards, what format can/would that be?
- What happens if I specify multiple lookup tables and I get multiple results? What value is valid? First one? Last one?

// SteveB

--
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail

Darren Pilgrim

2007-08-29 21:01:09 UTC

Permalink

Post by s***@gmx.net
I have a question regarding smtpd_sender_login_maps. If I understand
the documentation correctly then the maps are queried up to 3 times
done with the restrictions mentioned in the documentation.
The lookup tables have following structure (correct me if I am
wrong): <MAIL FROM ADDRESS> <OWNER>
Now my questions: - Can I return a wildcard address for owner?

To quote postconf(5):

"In all cases the result of table lookup must be either "not found" or a
list of SASL login names separated by comma and/or whitespace."

So no, returning a wildcard address isn't possible since SASL
authentication requires an explicit user name. Is there a specific
purpose you had in mind for wildcard addresses? If you describe your
needs, it may be possible to figure out an alternate solution.

Post by s***@gmx.net
- What happens if I specify multiple lookup tables and I get multiple
results? What value is valid? First one? Last one?

First match wins--postfix stops looking after the first match.

--
Darren Pilgrim

s***@gmx.net

2007-08-30 07:45:48 UTC

Permalink

-------- Original-Nachricht --------

Datum: Wed, 29 Aug 2007 14:01:09 -0700
Betreff: Re: Question regarding smtpd_sender_login_maps

"In all cases the result of table lookup must be either "not found" or a
list of SASL login names separated by comma and/or whitespace."
So no, returning a wildcard address isn't possible since SASL
authentication requires an explicit user name.

Thanks for that info.

Is there a specific
purpose you had in mind for wildcard addresses? If you describe your
needs, it may be possible to figure out an alternate solution.

On one system I have a setup where the data is inside MySQL and I am using:
smtpd_sender_login_maps =
proxy:mysql:$config_directory/virtual_user_maps.mysql
proxy:mysql:$config_directory/virtual_alias_maps.mysql

##
## Reject MAIL FROM information
##
smtpd_sender_restrictions =
reject_sender_login_mismatch
permit_sasl_authenticated
permit_mynetworks
reject_non_fqdn_sender
reject_unknown_sender_domain
# reject_unverified_sender
check_sender_mx_access cidr:$config_directory/verisign_hijacked_domain.cidr
check_sender_access hash:$config_directory/sa-blacklist.current.reject

I am mainly using virtual and maildrop as transport. But I have domains where I forward the mail with a smtp:xxxx transport and I have domains where I have mailman running. Those two transports I wanted to exclude from the restriction. But since I can not return wildcards I need to make something else. I will need to crate another lookup where I return a OK for those two transports and just add it before reject_sender_login_mismatch.

Post by s***@gmx.net
- What happens if I specify multiple lookup tables and I get multiple
results? What value is valid? First one? Last one?

First match wins--postfix stops looking after the first match.

That's good :)

--
Darren Pilgrim

// SteveB

--
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser

mouss

2007-08-29 22:29:15 UTC

Permalink

Post by s***@gmx.net
Hi list
<MAIL FROM ADDRESS> <OWNER>
- Can I return a wildcard address for owner?

what for? just don't include the address in the map.

Note that you can use a single map but make it subject to
check_sender_access to achieve different checks for different senders.
for example, you can have something like this

***@example.com must_auth
***@example.com must_auth_and_match_sender
***@example.com if_auth_then_match_sender
***@example.com dont_care

must_auth =
reject_unauthenticated_sender_login_mismatch

must_auth_and_match_sender =
reject_sender_login_mismatch

if_auth_then_match_sender =
reject_authenticated_sender_login_mismatch

dont_care = dunno

as you can see, any authenticated user can use "***@example.com". which
is the "wildcard" you look for.

Post by s***@gmx.net
- If I can return wildcards, what format can/would that be?

see above.

Post by s***@gmx.net
- What happens if I specify multiple lookup tables and I get multiple results? What value is valid? First one? Last one?

the usual case. lookup stops when a match is found.

Victor Duchovni

2007-08-30 00:29:23 UTC

Permalink

Post by mouss

Post by s***@gmx.net
Hi list
I have a question regarding smtpd_sender_login_maps. If I understand the
documentation correctly then the maps are queried up to 3 times
with the restrictions mentioned in the documentation.
<MAIL FROM ADDRESS> <OWNER>
- Can I return a wildcard address for owner?

what for? just don't include the address in the map.

That does not work, because authenticated users are required to use
a sender address that belongs to them. The restriction is both ways:

- restrict sender address to owner
- restrict owner to owned sender address

to exempt some addresses from such checks, use a whitelist in the
smtpd_sender_restrictions before using reject_sender_login_mismatch. Or
address dependent policy as suggested...

Post by mouss
Note that you can use a single map but make it subject to
check_sender_access to achieve different checks for different senders.
for example, you can have something like this

Simpler:

***@example.com permit_sasl_authenticated, reject

but this returns OK rather than DUNNO, so context is important...
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

s***@gmx.net

2007-08-30 07:53:50 UTC

Permalink

-------- Original-Nachricht --------

Datum: Thu, 30 Aug 2007 00:29:15 +0200
Betreff: Re: Question regarding smtpd_sender_login_maps

Post by s***@gmx.net
Hi list
I have a question regarding smtpd_sender_login_maps. If I understand the

documentation correctly then the maps are queried up to 3 times
restrictions mentioned in the documentation.

Post by s***@gmx.net
<MAIL FROM ADDRESS> <OWNER>
- Can I return a wildcard address for owner?

what for? just don't include the address in the map.
Note that you can use a single map but make it subject to
check_sender_access to achieve different checks for different senders.
for example, you can have something like this
must_auth =
reject_unauthenticated_sender_login_mismatch
must_auth_and_match_sender =
reject_sender_login_mismatch
if_auth_then_match_sender =
reject_authenticated_sender_login_mismatch
dont_care = dunno

I see. Thanks.

is the "wildcard" you look for.

Post by s***@gmx.net
- If I can return wildcards, what format can/would that be?

see above.

Post by s***@gmx.net
- What happens if I specify multiple lookup tables and I get multiple

results? What value is valid? First one? Last one?
the usual case. lookup stops when a match is found.

--
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail