Postfix policy protocol

Discussion:

(too old to reply)

Yann GROSSEL

2004-01-31 15:56:44 UTC

Hello,

I have a wish about the Postfix policy delegation protocol.

I'm using SASL on a mailserver. I'm planning to use the great new
check_policy_service restriction and I'd like to be able to base my
policy decisions on the authenticated user.

The problem is that the current policy protocol doesn't have an attribute
to give the SASL authenticated user for the SMTP connection.

Would it be possible to add an new attribute like :

sasl_user=***@bar.net

in the requests sent by Postfix SMTPD to the policy server ? I think it
can be done in a 10 lines patch...

Thanks a lot.

--
Yann GROSSEL

Tony Earnshaw

2004-01-31 19:30:21 UTC

Permalink

Post by Yann GROSSEL
I'm using SASL on a mailserver.

Me too.

Post by Yann GROSSEL
I'm planning to use the great new
check_policy_service restriction and I'd like to be able to base my
policy decisions on the authenticated user.

Why? I have already an SASL policy:

smtpd_sender_restrictions =3D
reject_sender_login_mismatch

smtpd_recipient_restrictions =3D
permit_sasl_authenticated

Once I've done that, I reckon that my user is locked into a jail that he
can not get out of. No further policy is necessary.

Post by Yann GROSSEL
The problem is that the current policy protocol doesn't have an attribu=

Post by Yann GROSSEL
to give the SASL authenticated user for the SMTP connection.

What would be your desired policy amendment?

I see the policy daemon as being aimed at the unknown, rather than the
known. I trust and/or can control the known, I distrust and can not
control the unknown.

--Tonni

--=20

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl

Yann GROSSEL

2004-01-31 21:17:16 UTC

Permalink

On Sat, 31 Jan 2004 20:19:49 +0100

Post by Tony Earnshaw
=20

Post by Yann GROSSEL
I'm planning to use the great new
check_policy_service restriction and I'd like to be able to base my
policy decisions on the authenticated user.

=20
=20
smtpd_sender_restrictions =3D
reject_sender_login_mismatch
=20
smtpd_recipient_restrictions =3D
permit_sasl_authenticated
=20
Once I've done that, I reckon that my user is locked into a jail that h=

Post by Tony Earnshaw
can not get out of. No further policy is necessary.
=20

Post by Yann GROSSEL
The problem is that the current policy protocol doesn't have an
attribute to give the SASL authenticated user for the SMTP connection=

Post by Tony Earnshaw
=20
What would be your desired policy amendment?

I'd like to have control over the rates of user connections and mail
sending. My policy daemon server will be linked to a sql database
and I'll be able to do whatever computations I want using the rates
values. For instance I'd like to allow authenticated users to send more
mails the non-authenticated ones. Or to allow some user to send mail only
during work hours. Or perhaps I want to detect when a SASL login is used
from too many distinct IP addresses at the same time, indicating that a
cracked login/password is beeing used by spammers. Or anything else.

It's just not possible to do that with the reject_sender_login_mismatch
and reject_sender_login_mismatch restrictions.

Regards

--=20
Yann GROSSEL

Wietse Venema

2004-01-31 23:47:40 UTC

Permalink

Post by Yann GROSSEL
The problem is that the current policy protocol doesn't have an
attribute to give the SASL authenticated user for the SMTP connection.

That would be easy to add.

Wietse

Continue reading on narkive:

Search results for 'Postfix policy protocol' (Questions and Answers)

replies

Ramadan:what is P.S mean?

started 2010-05-07 10:17:55 UTC

ramadan