check_sasl_access question


I would like to only allow sasl authenticated relay for specific users,
so I have in

smtpd_relay_restrictions = permit_mynetworks, check_sasl_access

and in /etc/postfix/sasl_list:
username1 OK
username2 REJECT
username3 OK

The config works. I tested: username1 can relay, username2 cannot.

However, I want to blacklist ALL my users, except username1 / username3,
so the line with "*" is ignored.

Googled and googled, but I can't find: How can I enter wildcards in that
file, or otherwise get the same result?

This is postfix 2.11.2



Re: check_sasl_access question

By Viktor Dukhovni at 08/11/2017 - 17:37

"*" does not (and is not documented to) work as a wildcard in
indexed file tables.

Far simpler:

indexed = ${default_database_type}:${config_directory}/
smtpd_relay_restrictions =
check_sasl_access ${indexed}sasl_list,

username1 OK
username3 OK

With this, you only need to list the permitted users, there's no
need to list the rejects, these are handled by the required "default
deny" restriction at the end.

A user who wants to bypass explicit rejection can just remain
anonymous, by omitting authentication, and be rejected only when
attempting to relay, like everyone else.

Re: check_sasl_access question

By mj at 08/11/2017 - 18:02

Hi Viktor!

Thanks for the quick reply!

On 08/11/2017 11:37 PM, Viktor Dukhovni wrote:
Because this does not look very different from my config:

I don't see much difference..? (except the indexed = $....)

What am I missing/not seeing?


Re: check_sasl_access question

By Viktor Dukhovni at 08/11/2017 - 18:19


The "reject_unauth_destination" rejects all relay attempts, permitting
only inbound mail. If you allow inbound mail from anonymous users,
there's no point in blocking it from specific authenticated users.

Re: check_sasl_access question

By mj at 08/11/2017 - 18:28


Right! Remove permit_sasl_authenticated and keep check_sasl_access

Thanks! It works!