0

I'm using sasldb2 (without saslauthd) for SMTP authentication with Postfix. To create a new user, I run saslpasswd2 -u example.com mail which creates a login mail@example.com. However, using these credentials, I can successfully connect to and send as other@example.com. How can I restrict users to only send as their own mail address?

What I've tried:

  1. Installed postfix-pcre.
  2. Set up a file /etc/postfix/login_map with content /^(.*)$/ ${1}.
  3. Reference in Postfix config: smtpd_sender_login_maps = pcre:/etc/postfix/login_map.
  4. Restart postfix.

The mail server just happily sends mails as other user names. There is nothing special in the logs.

danijar
  • 393
  • 2
  • 3
  • 14
  • @eranga I think this doesn't apply to sasldb. Please see my question update for what I've tried. – danijar Jun 28 '16 at 11:54
  • 1
    It very much applies to sasldb. these lines are your friend: `-o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_login_maps=hash:/etc/postfix/virtual -o smtpd_sender_restrictions=reject_sender_login_mismatch` – NickW Jun 28 '16 at 13:49

1 Answers1

0

As the other question states, there are two important parts that need to be added to master.cf under the submission port

-o smtpd_client_restrictions=permit_sasl_authenticated,reject
This ensures only sasl authenticated people send.

-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
This is a map to your user DB, change it to be the one you use

-o smtpd_sender_restrictions=reject_sender_login_mismatch
This will make sure the sender address matches the login ID.

NickW
  • 10,183
  • 1
  • 18
  • 26
  • Thanks. I have two questoins. (1) I already use `/etc/postfix/virtual` to forward any incoming mails: `@example1.com example@gmail.com`, `@example2.com example@gmail.com`, etc. How would that look like if I also use the file for SMTP logins? (2) I already have `smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticaed,reject_unauth_destination` set. Do I still need to set `smtpd_client_restrictions`? Hope to better understand the postfix config soon. – danijar Jun 28 '16 at 14:02
  • Basically, you'll want to change that to whatever method you've used up to now to do the login. IIRC the order is client, relay, sender, so moving the `permit_sasl_authenticated` to client isn't a bad idea. – NickW Jun 28 '16 at 14:13
  • Setting `smtpd_sender_restrictions=reject_sender_login_mismatch` caused me to not receive mails anymore. Incoming emails that other people sent to me get rejected. How can I set this setting for emails I send to the server, only? – danijar Jun 28 '16 at 14:37
  • Is this in the main.cf or the master.cf? Just noticed I wrote main.cf, not master.cf, doh.. – NickW Jun 28 '16 at 15:11
  • It's all main.cf. Does it make a difference? The key was not present in either. – danijar Jun 28 '16 at 15:13
  • Yes it does, these need to go in the master.cf under the submission port, so they only apply to the submission service, in the main.cf they apply globally, which is why you have people who can't send. – NickW Jun 28 '16 at 15:14
  • Cool, good to know. I'll try later – danijar Jun 28 '16 at 15:15