[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SuSE 9.0: postfix sasl authentikation fails



Am Freitag, 9. Januar 2004 15:34 schrieb Marc Samendinger:
> > -----Original Message-----
> > From: Arjen de Korte [mailto:suse-security@xxxxxxxxxxxx]
> > Sent: Friday, January 09, 2004 3:22 PM
> >
> > On Friday 09 January 2004 14:59, Marc Samendinger wrote:
> > >  smtpd_sender_restrictions =
> > >  	permit_mynetworks,
> > >  	permit_sasl_authenticated,
> > >  	reject
> >
> > You would drop virtually all incoming mail from external,
> > non-authenticated
> > users to you. I can't imagine this is what you want. I think
> > the following
> > lines may be more appropriate:
> >
> > smtpd_sender_restrictions =
> > smtpd_recipient_restrictions =
> > 	permit_mynetworks,
> > 	permit_sasl_authenticated,
> > 	permit_auth_destination,
> > 	reject
> >
> > The above translates to allow all 'MAIL FROM' sender
> > adresses, but only accept
> > 'RCPT TO' adresses if the client is from 'mynetworks',
> > 'sasl_authenticated'
> > or the recipient is in the list of domains for which we
> > recieve or relay
> > mail.
>
> I really did not check the logic behind the restrictions
> I just saw the "missing" commas and thought they were
> needed but I checked again and see they are optional.
>
> another suggestion to the smtpd_recipient_restrictions
>
> smtpd_sender_restrictions =
> smtpd_recipient_restrictions =
>  	permit_mynetworks,
>  	permit_sasl_authenticated,
>  	reject_unauth_destination
>
> > Best regards,
> > Arjen
>
> marc

Thanks again,
My next step is motivating cyrussasl to use Kerberos5
- has anybody done this?
My Mailserver is integrated to an ADS Doman via Samba 3. 
either pam and pam_winbind or - and i tend to prefer that - kerberos5 
Authentication should provide the following:

Any User from the ADS-Domain should be allowed to send Mail over this 
Server. No one else. 
My idea is:
SASL-Kerberos-Postfix.
At the moment, only sasldb works.
not even pam.
Any ideas?
-- 
Mit freundlichen Grüßen
Markus Feilner
--
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23  - mobil: +49 170 302 709 2 
web: http://feilner-it.net mail: mfeilner@xxxxxxxxxxxxxx


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here