3

I am looking for an option to enforce an envelope sender address in postfix for selected users, only. E.g., I want to permit [email protected] to send mails as [email protected], only, while all other users shall be able to choose their from addresses freely.

I know I can work with smtpd_sender_login_maps and reject_sender_login_mismatch. But in my attempts, this has enforced envelope sender validation for all users. I also tried playing around with pcre tables, but wasn't able to find something like a wildcard match towards the end of the PCRE table.

E.g., this does not work:

# envelope sender               owners (SASL login names)
/^[email protected]$/           [email protected]
/^(.*)*$/                       (([email protected]).)*$

Any way to get this implemented only for a specific set of users?

i3i5i7
  • 61
  • 1
  • 4
  • Instead of focusing on `reject_sender_login_mismatch` (...to be specified inside a `smtpd_sender_restrictions` directive), try the `reject_known_sender_login_mismatch` – Damiano Verzulli Jan 01 '18 at 20:01
  • Thanks for giving me an idea. However, as I understand, `reject_known_sender_login_mismatch` allows authenticated users to send from any address that is not listed with an explicit owner in the sender login table. So this is a test on the address, but I want to enfore restrictions on SASL users. I.e. I don't care (well...) if some other user sends a mail as [email protected]. I want to keep (only!) [email protected] from sending mails under any other address than [email protected] – i3i5i7 Jan 02 '18 at 17:40
  • As per official DOC, 1) `reject_known_sender_login_mismatch` apply the `reject_sender_login_mismatch` restriction only to MAIL FROM addresses that are known in $smtpd_sender_login_maps; 2) `reject_sender_login_mismatch` (applied by 1), reject the request [...] when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps - So if you put `[email protected]`:`[email protected]` in the smtpd_sender_login_maps (...and specify the `reject_known_sender_login_mismatch')... – Damiano Verzulli Jan 03 '18 at 23:49
  • ...I guess that once user `[email protected]` gets SASL-authenticated (left-hand part of the MAP), he can only specify the MAIL-FROM `[email protected]` (right-hand part of the MAP). As for other SASL-authenticated users, they're NOT impacted, as they're NOT specified in the MAP. This is, at least, what I guess from the documentation (that, BTW, I've not experimented myself) – Damiano Verzulli Jan 03 '18 at 23:49
  • Thanks. I did experiment with this, and was not able to find any setting not impacting the other users as well. I guess what I'm looking at is not easily possible. I will find a different angle from which to tackle this. Thanks again. – i3i5i7 Jan 04 '18 at 08:11

0 Answers0