From 63ff4a03ccd7b2fd56d4ab66f4a2f0432b5e76e0 Mon Sep 17 00:00:00 2001 From: Aaron LI Date: Wed, 7 Mar 2018 10:42:24 +0800 Subject: mail/postfix: disable login mismatch rejection for smtpd(8) and explain --- roles/mail/files/postfix/login-maps.pcre | 12 +++++- roles/mail/templates/postfix/main.cf.j2 | 70 +++++++++++++++++--------------- 2 files changed, 47 insertions(+), 35 deletions(-) (limited to 'roles') diff --git a/roles/mail/files/postfix/login-maps.pcre b/roles/mail/files/postfix/login-maps.pcre index 1f14223..1bc4d6b 100644 --- a/roles/mail/files/postfix/login-maps.pcre +++ b/roles/mail/files/postfix/login-maps.pcre @@ -3,7 +3,8 @@ # Postfix: smtpd_sender_login_maps # # Lookup table with the SASL login names that own the sender -# (MAIL FROM) addresses. +# (MAIL FROM) addresses, i.e., the address(es) that the client is +# allowed to sent mail from. # # NOTE: # Add "reject_sender_login_mismatch" to $smtpd_sender_restrictions . @@ -15,7 +16,7 @@ # client's hostname and IP address, but not the user who controls the # remote client. # But the Postfix SMTP server knowns who the sender is once the SASL -# authentication is used. This table file provides the maps betwee +# authentication is used. This lookup table provides the maps betwee # envelope sender addresses and SASL login names, which is used by the # server to decide if the SASL authenticated client is allowed to use # a particular envelope sender address. @@ -28,6 +29,13 @@ # Enforce that user can only send from their own sender address. # Credit: https://serverfault.com/a/710235/387898 # +# WARNING: Since we use a regex here which matches all sender addresses, +# thus we should enable the login mismatch rejection *only* for +# the "submission" service from user/MUA (see "master.cf"), but +# NOT* for the smtpd(8) service. Otherwise, mails from other +# mail servers will be rejected with error: +# "Sender address rejected: not logged in". +# # Envelope sender | Owner (SASL login names) # --------------------------------------------------------------------- /^(.*)$/ ${1} diff --git a/roles/mail/templates/postfix/main.cf.j2 b/roles/mail/templates/postfix/main.cf.j2 index 524b3d6..35093d9 100644 --- a/roles/mail/templates/postfix/main.cf.j2 +++ b/roles/mail/templates/postfix/main.cf.j2 @@ -13,6 +13,9 @@ # http://www.postfix.org/SASL_README.html # * Postfix Virtual Domain Hosting Howto # http://www.postfix.org/VIRTUAL_README.html +# * Fighting Spam - What can I do as an: Email Administrator, Domain +# Owner, or User? +# https://serverfault.com/a/419475/387898 # # # Aaron LI @@ -23,8 +26,8 @@ # COMPATIBILITY # -# The compatibility_level determines what default settings Postfix -# will use for main.cf and master.cf settings. These defaults will +# The compatibility_level determines what default settings Postfix will +# use for "main.cf" and "master.cf" settings. These defaults will # change over time. # # To avoid breaking things, Postfix will use backwards-compatible @@ -50,7 +53,7 @@ compatibility_level = 2 #soft_bounce = no # INTERNET HOST AND DOMAIN NAMES -# +# # The myhostname parameter specifies the internet hostname of this # mail system. The default is to use the fully-qualified domain name # from gethostname(). $myhostname is used as a default value for many @@ -66,7 +69,7 @@ myhostname = mail.{{ mydomain }} mydomain = {{ mydomain }} # SENDING MAIL -# +# # The myorigin parameter specifies the domain that locally-posted # mail appears to come from. The default is to append $myhostname, # which is fine for small sites. If you run a domain with multiple @@ -175,16 +178,16 @@ mydestination = $myhostname, localhost.$mydomain, localhost # # By default (mynetworks_style = subnet), Postfix "trusts" SMTP # clients in the same IP subnetworks as the local machine. -# +# # Specify "mynetworks_style = class" when Postfix should "trust" SMTP # clients in the same IP class A/B/C networks as the local machine. # Don't do this with a dialup site - it would cause Postfix to "trust" # your entire provider's network. Instead, specify an explicit # mynetworks list by hand, as described below. -# +# # Specify "mynetworks_style = host" when Postfix should "trust" # only the local machine. -# +# mynetworks_style = host # The relay_domains parameter restricts what destinations this system will @@ -196,7 +199,7 @@ mynetworks_style = host # - from "untrusted" clients to destinations that match $relay_domains or # subdomains thereof, except addresses with sender-specified routing. # The default relay_domains value is $mydestination. -# +# # In addition to the above, the Postfix SMTP server by default accepts mail # that Postfix is final destination for: # - destinations that match $inet_interfaces or $proxy_interfaces, @@ -204,7 +207,7 @@ mynetworks_style = host # - destinations that match $virtual_alias_domains, # - destinations that match $virtual_mailbox_domains. # These destinations do not need to be listed in $relay_domains. -# +# # Specify a list of hosts or domains, /file/name patterns or type:name # lookup tables, separated by commas and/or whitespace. Continue # long lines by starting the next line with whitespace. A file name @@ -479,33 +482,34 @@ smtpd_data_restrictions = reject_unauth_pipelining # Envelope sender address control # # * reject_unknown_sender_domain: -# Don't accept mail from domains that don't exist. +# Reject the request when Postfix is not the final destination +# for the sender address, and the "MAIL FROM" domain has (1) no +# DNS MX and no DNS A record, or (2) a malformed MX record. # * reject_sender_login_mismatch: -# Reject the sender address in the "MAIL FROM" command if -# $smtpd_sender_login_maps does not specify the SMTP client's login -# name (i.e., SASL authenticated) as an owner of that address. -# -# WARNING: Sender address verficiation may cause your site to be -# blacklisted by some providers. -# -# NOTE: -# By default an SMTP client may specify *any* envelope sender address -# in the "MAIL FROM" command, because the server only knows the remote -# client's hostname and IP address, but not the user who controls the -# remote client. -# But the Postfix SMTP server knowns who the sender is once the SASL -# authentication is used. Given a table of envelope sender addresses -# and SASL login names ($smtpd_sender_login_maps), the server can -# decide if the SASL authenticated client is allowed to use a particular -# envelope sender address. -# -smtpd_sender_restrictions = - reject_unknown_sender_domain, - reject_sender_login_mismatch +# This subsumes the functionality of both +# 'reject_{un,}authenticated_sender_login_mismatch' (see below). +# * reject_authenticated_sender_login_mismatch: +# Reject the request when the client is (SASL) logged in (i.e., +# authenticated), but the client's login name doesn't own the +# "MAIL FROM" address according to $smtpd_sender_login_maps . +# * reject_unauthenticated_sender_login_mismatch: +# Reject the request when $smtpd_sender_login_maps specifies an +# owner for the "MAIL FROM" address, but the client is not (SASL) +# logged in as that address' owner (i.e., unauthenticated). +# +# WARNING: Sender address verficiation may cause your server to be +# blacklisted by some providers, due to the possibly frequent +# address probe (try to connect but cancel mail delivery). +# +smtpd_sender_restrictions = reject_unknown_sender_domain # A lookup table maps between the SASL login names that own the sender -# (MAIL FROM) addresses, i.e., the address(es) the user allowed to sent -# mail from. +# (MAIL FROM) addresses. +# +# WARNING: see the explanation in this file on why only enable +# 'reject_sender_login_mismatch' for the "submission" service +# (see "master.cf") but not the smtpd(8) service (i.e., the +# above $smtpd_sender_restrictions). # smtpd_sender_login_maps = pcre:$config_directory/login-maps.pcre -- cgit v1.2.2