Andrew G. Grant | 15 Jun 18:33 2010

How to force SMTP AUTH to restrict Sender Addresses…

Hello,

I have configured the default install of Postfix (version 2.5.5) on Apple OS X Server 10.6.3 (Darwin 10.3.0). Everything seems to run very well with the exception that once authenticated, a user can claim to be any valid email address on my network.

I currently require SASL Authentication for all senders and the system is referencing the User Name and Password stored within Open Directory.

I now have a desire to restrict senders to their email addresses listed within Open Directory. I want to make sure that the email address listed in OD is the only sending address a user can use based upon their SASL credentials.

I tried to reference LDAP using , "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-aliases.cf" but I found that Apple did not include LDAP as a dictionary type. Here are the types that are supported in my build.

postconf -m
btree
cidr
environ
hash
pcre
proxy
regexp
static
unix

I guess I don't understand how SASL is checking OD for User Name and Password but can't check to verify the local sender's email address in OD.

If it is not possible to access the OD data, can someone please explain, in very easy to understand terms and with examples, how to implement this feature in the "main.cf" file using a hash file listing every User Name and Email address?

So far, I have tried these items with no success:
smtp_sender_dependent_authentication = yes

smtpd_sender_restrictions =
    permit_sasl_authenticated,
    reject_non_fqdn_sender,
    reject_sender_login_mismatch,
    reject_authenticated_sender_login_mismatch,
    reject_unauthenticated_sender_login_mismatch,
    reject

Victor Duchovni | 15 Jun 19:47 2010

Re: How to force SMTP AUTH to restrict Sender Addresses?

On Tue, Jun 15, 2010 at 09:33:12AM -0700, Andrew G. Grant wrote:

> Hello,
> 
> I have configured the default install of Postfix (version 2.5.5) on
> Apple OS X Server 10.6.3 (Darwin 10.3.0). Everything seems to run very
> well with the exception that once authenticated, a user can claim to be
> any valid email address on my network.

This is default behaviour.

> I now have a desire to restrict senders to their email addresses listed
> within Open Directory. I want to make sure that the email address listed
> in OD is the only sending address a user can use based upon their SASL
> credentials.
> 
> I tried to reference LDAP using , "smtpd_sender_login_maps =
> ldap:/etc/postfix/ldap-aliases.cf" but I found that Apple did not include
> LDAP as a dictionary type. Here are the types that are supported in
> my build.
> 
> postconf -m
> btree
> cidr
> environ
> hash
> pcre
> proxy
> regexp
> static
> unix

That's unfortunate.

> So far, I have tried these items with no success:
> smtp_sender_dependent_authentication = yes

Irrelevant. This is used when sending mail, not when receiving
mail. Turn this off.

> 
> smtpd_sender_restrictions =
>     permit_sasl_authenticated,

Too late, at this point the SASL authenticated users are in
The restrictions on sender address go *above* this.

>     reject_non_fqdn_sender,
>     reject_sender_login_mismatch,
>     reject_authenticated_sender_login_mismatch,
>     reject_unauthenticated_sender_login_mismatch,
>     reject

    # Not an MX host, authenticated senders only:
    #
    smtpd_sender_restrictions =
	reject_authenticated_sender_login_mismatch,
	permit_sasl_authenticated,
	reject

--

-- 
	Viktor.

Andrew G. Grant | 15 Jun 20:32 2010

Re: How to force SMTP AUTH to restrict Sender Addresses?

Thank you Viktor. That does in fact stop the email if there is a mismatch.
However, now I cannot send anything as it tells me that I don't own the 
email address I am trying to send to.

Can you tell me what it is checking to verify that the User Name 
belongs to the Email address the user is sending from?

My sender restrictions look like this:
smtpd_sender_restrictions =
#  reject_sender_login_mismatch,
  reject_authenticated_sender_login_mismatch,
#  reject_unauthenticated_sender_login_mismatch,
  permit_sasl_authenticated,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  permit

I am currently getting this error in my SMTP logs:

Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: connect from andrew-grant.mydomain.com[10.1.2.166]
Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: NOQUEUE: reject: RCPT from
andrew-grant.mydomain.com[10.1.2.166]: 553 5.7.1 <andrewgrant <at> mail.mydomain.com>: Sender
address rejected: not owned by user andrewgrant; from=<andrewgrant <at> mail.mydomain.com>
to=<andrewgrant <at> mail.mydomain.com> proto=ESMTP helo=<andrew-grant.mydomain.com>
Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: disconnect from andrew-grant.mydomain.com[10.1.2.166]

Any thoughts as to what I should look at to verify that my User Name really does belong to my Email address?

On Jun 15, 2010, at 10:47 AM, Victor Duchovni wrote:

On Tue, Jun 15, 2010 at 09:33:12AM -0700, Andrew G. Grant wrote:

> Hello,
> 
> I have configured the default install of Postfix (version 2.5.5) on
> Apple OS X Server 10.6.3 (Darwin 10.3.0). Everything seems to run very
> well with the exception that once authenticated, a user can claim to be
> any valid email address on my network.

This is default behaviour.

> I now have a desire to restrict senders to their email addresses listed
> within Open Directory. I want to make sure that the email address listed
> in OD is the only sending address a user can use based upon their SASL
> credentials.
> 
> I tried to reference LDAP using , "smtpd_sender_login_maps =
> ldap:/etc/postfix/ldap-aliases.cf" but I found that Apple did not include
> LDAP as a dictionary type. Here are the types that are supported in
> my build.
> 
> postconf -m
> btree
> cidr
> environ
> hash
> pcre
> proxy
> regexp
> static
> unix

That's unfortunate.

> So far, I have tried these items with no success:
> smtp_sender_dependent_authentication = yes

Irrelevant. This is used when sending mail, not when receiving
mail. Turn this off.

> 
> smtpd_sender_restrictions =
>    permit_sasl_authenticated,

Too late, at this point the SASL authenticated users are in
The restrictions on sender address go *above* this.

>    reject_non_fqdn_sender,
>    reject_sender_login_mismatch,
>    reject_authenticated_sender_login_mismatch,
>    reject_unauthenticated_sender_login_mismatch,
>    reject

   # Not an MX host, authenticated senders only:
   #
   smtpd_sender_restrictions =
	reject_authenticated_sender_login_mismatch,
	permit_sasl_authenticated,
	reject

--

-- 
	Viktor.

Victor Duchovni | 15 Jun 21:40 2010

Re: How to force SMTP AUTH to restrict Sender Addresses?

On Tue, Jun 15, 2010 at 11:32:07AM -0700, Andrew G. Grant wrote:

> Thank you Viktor. That does in fact stop the email if there is a mismatch.
> However, now I cannot send anything as it tells me that I don't own the 
> email address I am trying to send to.
> 
> Can you tell me what it is checking to verify that the User Name 
> belongs to the Email address the user is sending from?
> 
> My sender restrictions look like this:
> smtpd_sender_restrictions =
> #  reject_sender_login_mismatch,
>   reject_authenticated_sender_login_mismatch,
> #  reject_unauthenticated_sender_login_mismatch,
>   permit_sasl_authenticated,
>   reject_non_fqdn_sender,
>   reject_unknown_sender_domain,
>   permit
> 
> I am currently getting this error in my SMTP logs:
> 
> Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: connect from andrew-grant.mydomain.com[10.1.2.166]
> Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: NOQUEUE: reject: RCPT from
andrew-grant.mydomain.com[10.1.2.166]: 553 5.7.1 <andrewgrant <at> mail.mydomain.com>: Sender
address rejected: not owned by user andrewgrant; from=<andrewgrant <at> mail.mydomain.com>
to=<andrewgrant <at> mail.mydomain.com> proto=ESMTP helo=<andrew-grant.mydomain.com>
> Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: disconnect from andrew-grant.mydomain.com[10.1.2.166]
> 
> Any thoughts as to what I should look at to verify that my User Name really does belong to my Email address?

You need correct mappings in smtpd_sender_login_maps, mapping each
sender address to the correct SASL login.

--

-- 
	Viktor.

Andrew G. Grant | 15 Jun 22:55 2010

Re: How to force SMTP AUTH to restrict Sender Addresses?

Viktor,

You said:
      "You need correct mappings in smtpd_sender_login_maps, mapping each
        sender address to the correct SASL login."

Does that mean that Postfix will not pull the User Name and Email address from 
the Open Directory?

I had assumed that it was already pulling the User Name / Password for SASL
from Open Directory. Is there no way to also access the Email address in OD 
or use the User Name from the SASL authentication as the left portion of the 
email address?

For example, my user name is, "andrewgrant" and my email is, 
"andrewgrant <at> mydomain.com".

Is there no way to avoid creating another hash file with every User Name and 
Email address inside?

On Jun 15, 2010, at 12:40 PM, Victor Duchovni wrote:

On Tue, Jun 15, 2010 at 11:32:07AM -0700, Andrew G. Grant wrote:

> Thank you Viktor. That does in fact stop the email if there is a mismatch.
> However, now I cannot send anything as it tells me that I don't own the 
> email address I am trying to send to.
> 
> Can you tell me what it is checking to verify that the User Name 
> belongs to the Email address the user is sending from?
> 
> My sender restrictions look like this:
> smtpd_sender_restrictions =
> #  reject_sender_login_mismatch,
>  reject_authenticated_sender_login_mismatch,
> #  reject_unauthenticated_sender_login_mismatch,
>  permit_sasl_authenticated,
>  reject_non_fqdn_sender,
>  reject_unknown_sender_domain,
>  permit
> 
> I am currently getting this error in my SMTP logs:
> 
> Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: connect from andrew-grant.mydomain.com[10.1.2.166]
> Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: NOQUEUE: reject: RCPT from
andrew-grant.mydomain.com[10.1.2.166]: 553 5.7.1 <andrewgrant <at> mail.mydomain.com>: Sender
address rejected: not owned by user andrewgrant; from=<andrewgrant <at> mail.mydomain.com>
to=<andrewgrant <at> mail.mydomain.com> proto=ESMTP helo=<andrew-grant.mydomain.com>
> Jun 15 11:24:32 miniserve-rmd-1 postfix/smtpd[58338]: disconnect from andrew-grant.mydomain.com[10.1.2.166]
> 
> Any thoughts as to what I should look at to verify that my User Name really does belong to my Email address?

You need correct mappings in smtpd_sender_login_maps, mapping each
sender address to the correct SASL login.

--

-- 
	Viktor.


Gmane