kolab_smtp_access_policy - incoming mails are not checked against sender access list

Jan Kowalsky jankow at datenkollektiv.net
Fri Oct 13 12:04:33 CEST 2017 

Hi all,

I discovered a problem with kolab_smtp_access_policy.

I configured some email addresses with an sender access list - to permit
only some email addresses to send to those recipients. While this works
fine with internal users (submission) external users via smtpd can post
to those addresses - which isn't intended.

Anybody has an Idea?

As I understand the option "--verify-recipient" in the
smtp_access_policy command in master.cf is responsible.

If I remove this one in the submission_policy also internal users can
send emails to the protected post boxes.

But also if I add this --verify-recipient to sender_policy_incoming it
has no effect. Maybe it's overwritten by this --allow-unauthenticated?

Who does understand the kolab_smtp_access_policy?

sender_policy_incoming unix     -       n       n       -       -
spawn
    user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-sender --verify-recipient --allow-unauthenticated

My Configs:


In my postfix master.cf I have:

recipient_policy    unix        -       n       n       -       -
spawn
    user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-recipient

recipient_policy_incoming unix  -       n       n       -       -
spawn
    user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-recipient --allow-unauthenticated

sender_policy       unix        -       n       n       -       -
spawn
    user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-sender

sender_policy_incoming unix     -       n       n       -       -
spawn
    user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-sender --allow-unauthenticated

submission_policy   unix        -       n       n       -       -
spawn
    user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
--verify-sender --verify-recipient


and in main.cf

submission_sender_restrictions =
  check_policy_service inet:127.0.0.1:10031
  check_policy_service unix:private/submission_policy
  permit_sasl_authenticated
  reject_non_fqdn_sender
  reject

submission_recipient_restrictions =
  check_policy_service unix:private/submission_policy
  permit_sasl_authenticated
  reject

submission_data_restrictions =
  check_policy_service unix:private/submission_policy

smtpd_recipient_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unknown_recipient_domain
  reject_invalid_hostname
  reject_non_fqdn_hostname
  reject_unauth_pipelining
  reject_non_fqdn_recipient
  reject_non_fqdn_sender
  reject_unknown_sender_domain
  reject_unauth_destination
  reject_multi_recipient_bounce
  reject_sender_login_mismatch
  check_policy_service unix:private/recipient_policy_incoming
  check_policy_service inet:127.0.0.1:10031
  permit

smtpd_sender_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_sender_login_mismatch
  check_policy_service unix:private/sender_policy_incoming


Thanks a log for any hint.
Best Regards
Jan

More information about the users mailing list