Re: Blocking a particular authenticated user

From: Patrick Ben Koetter <p_at_nospam>
Date: Thu Sep 02 2010 - 09:40:40 GMT
To: postfix-users@postfix.org

* Julian Cowley <julian@lava.net>:
> On Thu, 2 Sep 2010, Patrick Ben Koetter wrote:
> > * Julian Cowley <julian@lava.net>:
> > > Hello,
> > >
> > > I would like to block a particular user who is authenticated using
> > > SASL from sending mail. Is there a way to do this?
> >
> > Where do you keep this users credentials? Disable the auth account.
>
> Yes thanks, that works. Unfortunately, on our system this also
> disables all other services for that user such as email reading and
> server logins. To fix this, I'd need to modify the authentication
> server outside of Postfix (namely Dovecot) to reject the user somehow.

Add an additional condition if you use SQL or LDAP, something alone the lines
of "... AND active='TRUE'" to your query.

> I was hoping that there was a way solely in Postfix that would allow
> me to reject mail for a SASL login at the MAIL FROM/RCPT TO stage
> rather than the authentication stage.

Clients AUTH first and then they start a regular SMTP session. At least the
ones I know...

Why not disable AUTH in the persons client?

p@rick

> At this point, I'll just reject the user's main email address using
> check_sender_access and REJECT, which is equivalent to all the crud
> I wrote up below and would allow me to customize the message.
>
> > > I found one way to do it, but it is not perfect. I can block the
> > > the email address of that user (the one they normally use) using
> > > smtpd_sender_login_maps. This doesn't prevent them from using another
> > > email address, however.
> > >
> > > smtpd_recipient_restrictions =
> > > ...
> > > reject_sender_login_mismatch
> > > ...
> > >
> > > smtpd_sender_login_maps = regexp:/path/sender_login_map
> > >
> > > sender_login_map:
> > >
> > > /^user@example\.com$/ unmatchable_string_SLDKFJNSDFLKJSDNFSKSDLFJN
> > >
> > > The unmatchable string is because I want the entry to exist for that
> > > email address, but I don't want to list any string that could be
> > > matched as a SASL username.
> > >
> > > Is this the right approach or have I missed something entirely?

-- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

This message: [ Message body ]
Next message: schnell-im-netz GmbH - Dominik Sennfelder: "Problem with SMTP Authentication"
Previous message: Reuben (Plexus IT): "RE: Using VERP on Postfix server"
In reply to: Julian Cowley: "Re: Blocking a particular authenticated user"
Next in thread: Stefan Seidel: "Re: Blocking a particular authenticated user"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]