Re: postfix security configuration
This might help:
On Mon, 2003-08-11 at 13:37, Marcel Weber wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Am Montag, 11.08.03, um 12:59 Uhr (Europe/Zurich) schrieb Tomasz
> > If you want to prevent them from using non existing sender addresses
> > from your domain, you can do it by creating a file (lookup table) for
> > postmap(1), containing all allowed addresses with "OK" and another
> > table containing your domainname with "REJECT".
> > If you want to prevent them from using sender addresses from other
> > domain, it's also possible with properly prepared config.
> > If you want to prevent them from using other (not their own) sender
> > addresses from your domain, you must use SMTP AUTH, I'm afraid.
> > --
> > Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
> > email@example.com http://www.lodz.tpsa.pl/ | ones and zeros.
> > --
> > To UNSUBSCRIBE, email to firstname.lastname@example.org
> > with a subject of "unsubscribe". Trouble? Contact
> > email@example.com
> Theoretically there is another possibility. Actually pop-before-smtp
> does nothing than watching the log file, picking the ip address of the
> pop client and putting this address for a certain time into a postmap
> for postfix. If you would use the user's email address as his pop3
> login name (within a sql or ldap db, for example), one could take this
> information and write it into another postmap file. This would
> necessite some modification of the pop-before-smtp script, but I think
> it wouldn't be too hard to implement. It wouldn't be perfect, though:
> Imagine two users logged in at the same time. Under this situation each
> user could "abuse" the other user's email address.
> For a really secure system, there is no way around smtp auth.
> pop-before-smtp relies on ip addresses. But what about NAT? Users
> coming from a private masqueraded network, could misuse your server at
> their pleasure, if one user from this network has logged into his pop3
> -----BEGIN PGP SIGNATURE-----
> -----END PGP SIGNATURE-----