Sample Header Ad - 728x90

SASL authentication - first local and then AD in postfix

1 vote
0 answers
97 views
linux postfix sasl
I am trying to setup sender access maps for restricting mail from address. However want to allow specific users to use different mailfrom. Users are authenticated by sasl (AD authentication configured within sasl) to connect on port 587 to postfix. In our scenario the postfix server is being used as a relay host which is going to accept emails from multiple apps (using diff domains). Requirement for setting mailfrom map: user1: notify@abc.com no-reply@abc.com noreply@xyz.com noreply@def.com user2: noreply@example.com noreply@example1.com user3: @foo.org - can use any mailfrom address within this domain I am able to setup sasl authentication via AD and also able to setup sender access maps, however, in sender_login file I have to mention all from addresses together. But we want to allow according to above example. Is it possible to do so? So two questions: - Is it possible for sasl to look for local auth and then go to AD? - How do I setup above requirement to allow users to set particular mailfrom addresses? Configuration files: main.cf 
compatibility_level = 2
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, localhost, example.com, foo.com
unknown_local_recipient_reject_code = 550
mynetworks = 10.1.1.100, 127.0.0.0/8
relay_domains = $mydestination
alias_maps = hash:/etc/aliases
header_checks = regexp:/etc/postfix/header_checks
smtpd_banner = $myhostname ESMTP $mail_name
debug_peer_level = 1
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = no
inet_protocols = ipv4
meta_directory = /etc/postfix
shlib_directory = no
smtpd_tls_cert_file = /etc/ssl/example.com/server.pem
smtpd_tls_key_file = /etc/ssl/example.com/server.key
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh1024_param_file = ${config_directory}/dh4096.pem
smtp_tls_mandatory_ciphers = high
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_sasl_type = cyrus
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_error_sleep_time = 0
smtpd_data_restrictions = reject_unauth_pipelining
qmgr_message_active_limit = 40000
qmgr_message_recipient_limit = 40000
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = hash:/etc/postfix/virtual
mailbox_size_limit = 104857600
message_size_limit = 26214400
default_process_limit = 500
smtpd_client_connection_count_limit = 500
home_mailbox = Maildir/
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc_maps
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination, reject_unauth_destination
smtpd_sender_login_maps = hash:/etc/postfix/sender_login
smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_login, reject_sender_login_mismatch
master.cf: 
smtp      inet  n       -       n       -       -       smtpd
2525      inet  n       -       n       -       -       smtpd -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject,reject
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
sender_login: 
noreply@example.com OK
noreply@abc.com OK
noreply@def.com OK
# cat /etc/saslauthd.conf
ldap_servers: ldaps://10..1.11
ldap_search_base: ccccccc
ldap_filter: (sAMAccountName=%u)
ldap_bind_dn: ccccccc
ldap_password: cccccc
ldap_tls_reqcert: never
Asked by sunny_hkhk (11 rep)
Jul 4, 2024, 06:37 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "linux"
More questions tagged "postfix"
More questions tagged "sasl"
Footer Ad - 728x90