Forged header detection and selective filtering (Postfix help please)

Adam Tworkowski atworkowski at masterfile.com
Wed Feb 15 19:21:39 CET 2006


I am trying to allow certain email addresses using my local domain (say
fakeuser at domain.com) to send mail from remote networks to valid local
users (i.e.realuser at domain.com).

Basically I am trying to poke a hole in Kolab's UCE policy on a per
sender basis through Postfix.

I am adding the senders address to /kolab/etc/postfix access (which is
otherwise empty and mapping it with /kolab/sbin/postmap access.

| fakeuser at domain.com OK

I am then changing the following line in Postfix's main.cf from:

smtpd_sender_restrictions = permit_mynetworks, check_policy_service
unix:private/kolabpolicy

to:

smtpd_sender_restrictions = check_sender_access
hash:/kolab/etc/postfix/access, permit_mynetworks, check_policy_service
unix:private/kolabpolicy

When attempting to send mail as the user I get the following (note that
I am definitely not on a network local to Postfix):

telnet 192.168.1.10  25
Trying 192.168.1.10...
Connected to 192.168.1.10.
Escape character is '^]'.
220 kolab01.domain.com ESMTP Postfix
ehlo hotmail.com
250-kolab01.domain.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250 8BITMIME
MAIL FROM:  fakeuser at domain.com
250 Ok
RCPT TO: realuser at domain.com
554 <fakeuser at domain.com>: Sender address rejected: Invalid sender

Am I going about this the right way?  Is there another filter getting in
the way?  What am I missing?  

Also, if an address is not present during the "check_sender_access"
check am I expecting it to bail, or move on to permit_mynetworks?

Any help would be much appreciated.  Thanks.

-Adam

On Tue, 2006-14-02 at 13:14 -0500, Adam Tworkowski wrote:
> Hi,
> 
> Our Kolab server (correctly) detects forged "from" headers so that if
> you say you are "user at domain.com" where domain.com is local, and you are
> sending from somewhere that is not domain.com and your message is
> refused.  How would I go about allowing certain "users" to by-pass this
> feature so that user1 at domain.com can be delivered as if local even
> thought the headers are really forged?  
> 
> We have a business requirement to accept mail "from" certain "accounts"
> that aren't local (affiliate users who we don't necessarily want on our
> mail system, as well as some forwarders from an external mail system
> via /etc/aliases.
> 
> Thanks in advance.  
-- 
Regards,

Adam Tworkowski, atworkowski at masterfile.com
Systems Administrator, Computer Department
Masterfile Corporation, www.masterfile.com
 
************************************************************************
This email message is intended only for the named recipient(s) above and
may contain information that is privileged, confidential, subject to
copyright and/or exempt from disclosure under applicable law.  You are
hereby notified that any unauthorized use of this transmission is
strictly prohibited.  If you are not the named recipient(s), please
immediately notify the sender and delete this email message.
************************************************************************






More information about the users mailing list