From 63ff4a03ccd7b2fd56d4ab66f4a2f0432b5e76e0 Mon Sep 17 00:00:00 2001 From: Aaron LI Date: Wed, 7 Mar 2018 10:42:24 +0800 Subject: mail/postfix: disable login mismatch rejection for smtpd(8) and explain --- roles/mail/files/postfix/login-maps.pcre | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'roles/mail/files') diff --git a/roles/mail/files/postfix/login-maps.pcre b/roles/mail/files/postfix/login-maps.pcre index 1f14223..1bc4d6b 100644 --- a/roles/mail/files/postfix/login-maps.pcre +++ b/roles/mail/files/postfix/login-maps.pcre @@ -3,7 +3,8 @@ # Postfix: smtpd_sender_login_maps # # Lookup table with the SASL login names that own the sender -# (MAIL FROM) addresses. +# (MAIL FROM) addresses, i.e., the address(es) that the client is +# allowed to sent mail from. # # NOTE: # Add "reject_sender_login_mismatch" to $smtpd_sender_restrictions . @@ -15,7 +16,7 @@ # client's hostname and IP address, but not the user who controls the # remote client. # But the Postfix SMTP server knowns who the sender is once the SASL -# authentication is used. This table file provides the maps betwee +# authentication is used. This lookup table provides the maps betwee # envelope sender addresses and SASL login names, which is used by the # server to decide if the SASL authenticated client is allowed to use # a particular envelope sender address. @@ -28,6 +29,13 @@ # Enforce that user can only send from their own sender address. # Credit: https://serverfault.com/a/710235/387898 # +# WARNING: Since we use a regex here which matches all sender addresses, +# thus we should enable the login mismatch rejection *only* for +# the "submission" service from user/MUA (see "master.cf"), but +# NOT* for the smtpd(8) service. Otherwise, mails from other +# mail servers will be rejected with error: +# "Sender address rejected: not logged in". +# # Envelope sender | Owner (SASL login names) # --------------------------------------------------------------------- /^(.*)$/ ${1} -- cgit v1.2.2