3

I am looking for an option to enforce an envelope sender address in postfix for selected users, only. E.g., I want to permit user1@example.com to send mails as user1@example.com, only, while all other users shall be able to choose their from addresses freely.

I know I can work with smtpd_sender_login_maps and reject_sender_login_mismatch. But in my attempts, this has enforced envelope sender validation for all users. I also tried playing around with pcre tables, but wasn't able to find something like a wildcard match towards the end of the PCRE table.

E.g., this does not work:

# envelope sender               owners (SASL login names)
/^user1@example.com$/           user1@example.com
/^(.*)*$/                       ((?!user1@example.com).)*$

Any way to get this implemented only for a specific set of users?

i3i5i7
  • 61
  • 3
  • Instead of focusing on `reject_sender_login_mismatch` (...to be specified inside a `smtpd_sender_restrictions` directive), try the `reject_known_sender_login_mismatch` – Damiano Verzulli Jan 01 '18 at 20:01
  • Thanks for giving me an idea. However, as I understand, `reject_known_sender_login_mismatch` allows authenticated users to send from any address that is not listed with an explicit owner in the sender login table. So this is a test on the address, but I want to enfore restrictions on SASL users. I.e. I don't care (well...) if some other user sends a mail as user1@example.com. I want to keep (only!) user1@example.com from sending mails under any other address than user1@example.com – i3i5i7 Jan 02 '18 at 17:40
  • As per official DOC, 1) `reject_known_sender_login_mismatch` apply the `reject_sender_login_mismatch` restriction only to MAIL FROM addresses that are known in $smtpd_sender_login_maps; 2) `reject_sender_login_mismatch` (applied by 1), reject the request [...] when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps - So if you put `user1@example.com`:`user1@example.com` in the smtpd_sender_login_maps (...and specify the `reject_known_sender_login_mismatch')... – Damiano Verzulli Jan 03 '18 at 23:49
  • ...I guess that once user `user1@example.com` gets SASL-authenticated (left-hand part of the MAP), he can only specify the MAIL-FROM `user1@example.com` (right-hand part of the MAP). As for other SASL-authenticated users, they're NOT impacted, as they're NOT specified in the MAP. This is, at least, what I guess from the documentation (that, BTW, I've not experimented myself) – Damiano Verzulli Jan 03 '18 at 23:49
  • Thanks. I did experiment with this, and was not able to find any setting not impacting the other users as well. I guess what I'm looking at is not easily possible. I will find a different angle from which to tackle this. Thanks again. – i3i5i7 Jan 04 '18 at 08:11

0 Answers0