Jan Kowalsky
2017-10-13 10:04:33 UTC
Hi all,
I discovered a problem with kolab_smtp_access_policy.
I configured some email addresses with an sender access list - to permit
only some email addresses to send to those recipients. While this works
fine with internal users (submission) external users via smtpd can post
to those addresses - which isn't intended.
Anybody has an Idea?
As I understand the option "--verify-recipient" in the
smtp_access_policy command in master.cf is responsible.
If I remove this one in the submission_policy also internal users can
send emails to the protected post boxes.
But also if I add this --verify-recipient to sender_policy_incoming it
has no effect. Maybe it's overwritten by this --allow-unauthenticated?
Who does understand the kolab_smtp_access_policy?
sender_policy_incoming unix - n n - -
spawn
user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-sender --verify-recipient --allow-unauthenticated
My Configs:
In my postfix master.cf I have:
recipient_policy unix - n n - -
spawn
user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-recipient
recipient_policy_incoming unix - n n - -
spawn
user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-recipient --allow-unauthenticated
sender_policy unix - n n - -
spawn
user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-sender
sender_policy_incoming unix - n n - -
spawn
user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-sender --allow-unauthenticated
submission_policy unix - n n - -
spawn
user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-sender --verify-recipient
and in main.cf
submission_sender_restrictions =
check_policy_service inet:127.0.0.1:10031
check_policy_service unix:private/submission_policy
permit_sasl_authenticated
reject_non_fqdn_sender
reject
submission_recipient_restrictions =
check_policy_service unix:private/submission_policy
permit_sasl_authenticated
reject
submission_data_restrictions =
check_policy_service unix:private/submission_policy
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unknown_recipient_domain
reject_invalid_hostname
reject_non_fqdn_hostname
reject_unauth_pipelining
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unauth_destination
reject_multi_recipient_bounce
reject_sender_login_mismatch
check_policy_service unix:private/recipient_policy_incoming
check_policy_service inet:127.0.0.1:10031
permit
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_sender_login_mismatch
check_policy_service unix:private/sender_policy_incoming
Thanks a log for any hint.
Best Regards
Jan
I discovered a problem with kolab_smtp_access_policy.
I configured some email addresses with an sender access list - to permit
only some email addresses to send to those recipients. While this works
fine with internal users (submission) external users via smtpd can post
to those addresses - which isn't intended.
Anybody has an Idea?
As I understand the option "--verify-recipient" in the
smtp_access_policy command in master.cf is responsible.
If I remove this one in the submission_policy also internal users can
send emails to the protected post boxes.
But also if I add this --verify-recipient to sender_policy_incoming it
has no effect. Maybe it's overwritten by this --allow-unauthenticated?
Who does understand the kolab_smtp_access_policy?
sender_policy_incoming unix - n n - -
spawn
user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-sender --verify-recipient --allow-unauthenticated
My Configs:
In my postfix master.cf I have:
recipient_policy unix - n n - -
spawn
user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-recipient
recipient_policy_incoming unix - n n - -
spawn
user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-recipient --allow-unauthenticated
sender_policy unix - n n - -
spawn
user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-sender
sender_policy_incoming unix - n n - -
spawn
user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-sender --allow-unauthenticated
submission_policy unix - n n - -
spawn
user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-sender --verify-recipient
and in main.cf
submission_sender_restrictions =
check_policy_service inet:127.0.0.1:10031
check_policy_service unix:private/submission_policy
permit_sasl_authenticated
reject_non_fqdn_sender
reject
submission_recipient_restrictions =
check_policy_service unix:private/submission_policy
permit_sasl_authenticated
reject
submission_data_restrictions =
check_policy_service unix:private/submission_policy
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unknown_recipient_domain
reject_invalid_hostname
reject_non_fqdn_hostname
reject_unauth_pipelining
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unauth_destination
reject_multi_recipient_bounce
reject_sender_login_mismatch
check_policy_service unix:private/recipient_policy_incoming
check_policy_service inet:127.0.0.1:10031
permit
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_sender_login_mismatch
check_policy_service unix:private/sender_policy_incoming
Thanks a log for any hint.
Best Regards
Jan