From c81d7334e5c6c31c4133edbd411b7f306d50ae8c Mon Sep 17 00:00:00 2001 From: Aaron LI Date: Tue, 6 Mar 2018 22:45:13 +0800 Subject: mail/postfix: add login-maps.pcre for $smtpd_sender_login_maps --- roles/mail/files/postfix/login-maps.pcre | 33 ++++++++++++++++++++++++++++++++ roles/mail/templates/postfix/main.cf.j2 | 7 ++++--- 2 files changed, 37 insertions(+), 3 deletions(-) create mode 100644 roles/mail/files/postfix/login-maps.pcre (limited to 'roles') diff --git a/roles/mail/files/postfix/login-maps.pcre b/roles/mail/files/postfix/login-maps.pcre new file mode 100644 index 0000000..1f14223 --- /dev/null +++ b/roles/mail/files/postfix/login-maps.pcre @@ -0,0 +1,33 @@ +# +# $config_directory/login-maps.pcre +# Postfix: smtpd_sender_login_maps +# +# Lookup table with the SASL login names that own the sender +# (MAIL FROM) addresses. +# +# NOTE: +# Add "reject_sender_login_mismatch" to $smtpd_sender_restrictions . +# +# NOTE +# ---- +# By default an SMTP client may specify *any* envelope sender address +# in the "MAIL FROM" command, because the server only knows the remote +# client's hostname and IP address, but not the user who controls the +# remote client. +# But the Postfix SMTP server knowns who the sender is once the SASL +# authentication is used. This table file provides the maps betwee +# envelope sender addresses and SASL login names, which is used by the +# server to decide if the SASL authenticated client is allowed to use +# a particular envelope sender address. +# +# References: +# * Postfix SASL HOWTO - Envelope sender address authorization +# http://www.postfix.org/SASL_README.html#server_sasl_authz +# + +# Enforce that user can only send from their own sender address. +# Credit: https://serverfault.com/a/710235/387898 +# +# Envelope sender | Owner (SASL login names) +# --------------------------------------------------------------------- +/^(.*)$/ ${1} diff --git a/roles/mail/templates/postfix/main.cf.j2 b/roles/mail/templates/postfix/main.cf.j2 index 1126adf..914d45b 100644 --- a/roles/mail/templates/postfix/main.cf.j2 +++ b/roles/mail/templates/postfix/main.cf.j2 @@ -503,10 +503,11 @@ smtpd_sender_restrictions = reject_unknown_sender_domain, reject_sender_login_mismatch -# A lookup table maps between the envelope sender addresses and SASL -# login names (i.e., the owners). +# A lookup table maps between the SASL login names that own the sender +# (MAIL FROM) addresses, i.e., the address(es) the user allowed to sent +# mail from. # -smtpd_sender_login_maps = $virtual_mailbox_maps +smtpd_sender_login_maps = pcre:$config_directory/login-maps.pcre # Use permanet 550 errors for rejections, to stop retries. # Tell Postfix to reject messages that match the rejection criteria -- cgit v1.2.2