I have a MTA (postfix) with sasl implemented. I want that for a subset of users I can map their email address to a particular range of ips (separate for each email user). If a user tries to send email from outside his individual range the attempts get logged and the email is dropped. I think it can be done by header_checks or milters but I am unable to implement it either way.
2 Answers
Use a policy service. You can implement your own, or use some ready made one, I had some experience with postfwd and as I can recall its ruleset capabilities enable you to express such a requirement in a few lines.
Better not just use SASL authentication, but also restrict which "envelope from" email addresses can be used by which SASL usernames using Postfix's smtpd_sender_login_maps setting. The authenticated submission service should be never supported on the default port 25; there are dedicated ports for that, 587 "submission" (with STARTTLS) or/and 465 "smtps" (with conventional static TLS).
If all of your users may be restricted to a few subnets, you can just restrict access to these ports with the firewall. Better yet, instead of dropping "out of network" mails right away or restricting access to submission services on the network level, limit email rate. Then you can monitor overuse of the service, warn users, or even demand explanation of what happened and why they hit the limit.
Exactly this helped me to contain the reputation damage to the server I managed when some user's password was stolen and someone started to send spam using stolen credentials. They hit the limit within minutes (something like no more than 120 mails per hour), and the compromised account become unable to send mails. Then we investigated what happened and explained it to the legitimate user of this account, changed their password and took other necessary measures to secure their system to prevent the repeating of this scenario.
If users have good passwords and secure systems, you are protected well enough to trust the authentication, so there should be no need to restrict a service to a few subnets. Honestly, if you don't trust your users that much, I believe, the real problem is somewhere outside of the reach of technological measures and lies within administrative decisions.
answered Dec 2 at 11:54
I see some possible ways for it is:
- Using of restriction classes
- Using milters
- Using policyd services with specific users added to dunno (so that all users are not checked)