kolab_smtp_access_policy - incoming mails are not checked against sender access list
Jan Kowalsky
jankow at datenkollektiv.net
Fri Oct 13 13:08:38 CEST 2017
I found out how to fix this - but I don't understand it completely:
If I add a line
smtpd_data_restrictions =
check_policy_service unix:private/recipient_policy_incoming
analogue to
submission_data_restrictions =
check_policy_service unix:private/submission_policy
the sender access lists works also from outside.
But I don't understand it completely why the data_restrictions are
necessary - and not the sender_restrictions.
Probably because on sender_restrictions only the sender is known - and
not the recipient. But then this should be the kolab default configuration.
Regards
Jan
Am 13.10.2017 um 12:04 schrieb Jan Kowalsky:
> Hi all,
>
> I discovered a problem with kolab_smtp_access_policy.
>
> I configured some email addresses with an sender access list - to permit
> only some email addresses to send to those recipients. While this works
> fine with internal users (submission) external users via smtpd can post
> to those addresses - which isn't intended.
>
> Anybody has an Idea?
>
> As I understand the option "--verify-recipient" in the
> smtp_access_policy command in master.cf is responsible.
>
> If I remove this one in the submission_policy also internal users can
> send emails to the protected post boxes.
>
> But also if I add this --verify-recipient to sender_policy_incoming it
> has no effect. Maybe it's overwritten by this --allow-unauthenticated?
>
> Who does understand the kolab_smtp_access_policy?
>
> sender_policy_incoming unix - n n - -
> spawn
> user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
> --verify-sender --verify-recipient --allow-unauthenticated
>
> My Configs:
>
>
> In my postfix master.cf I have:
>
> recipient_policy unix - n n - -
> spawn
> user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
> --verify-recipient
>
> recipient_policy_incoming unix - n n - -
> spawn
> user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
> --verify-recipient --allow-unauthenticated
>
> sender_policy unix - n n - -
> spawn
> user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
> --verify-sender
>
> sender_policy_incoming unix - n n - -
> spawn
> user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
> --verify-sender --allow-unauthenticated
>
> submission_policy unix - n n - -
> spawn
> user=kolab-n argv=/usr/lib/postfix/kolab_smtp_access_policy
> --verify-sender --verify-recipient
>
>
> and in main.cf
>
> submission_sender_restrictions =
> check_policy_service inet:127.0.0.1:10031
> check_policy_service unix:private/submission_policy
> permit_sasl_authenticated
> reject_non_fqdn_sender
> reject
>
> submission_recipient_restrictions =
> check_policy_service unix:private/submission_policy
> permit_sasl_authenticated
> reject
>
> submission_data_restrictions =
> check_policy_service unix:private/submission_policy
>
> smtpd_recipient_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> reject_unknown_recipient_domain
> reject_invalid_hostname
> reject_non_fqdn_hostname
> reject_unauth_pipelining
> reject_non_fqdn_recipient
> reject_non_fqdn_sender
> reject_unknown_sender_domain
> reject_unauth_destination
> reject_multi_recipient_bounce
> reject_sender_login_mismatch
> check_policy_service unix:private/recipient_policy_incoming
> check_policy_service inet:127.0.0.1:10031
> permit
>
> smtpd_sender_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> reject_sender_login_mismatch
> check_policy_service unix:private/sender_policy_incoming
>
>
> Thanks a log for any hint.
> Best Regards
> Jan
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users
>
More information about the users
mailing list