On Friday 28 May 2010 12:58:18 Josephus wrote:
> Hi,
>
> I'm trying to deploy dkim into a multi/virtualdomain environment where
> users send emails via sasl authentication. A common MTA setup doesn't
> check for sender address after the authentication is done.
are you talking about the From: header field or the envelope address?
Envelope is a easy to deal with in the MTA (as below).
> Once I'm
> authenticated I can send mails using anything as the sender.
> So once a user is allowed to send, they would select an email address
> that's also on the system (on someone else's domain), the message will
> be signed with dkim, because the sender domain matches a key in the
> database. The receiving end will trust in the dkim signature however the
> whole message was forged from the beginning.
good point.
I think your options are:
1.
http://www.postfix.org/MULTI_INSTANCE_README.html
or
2. setting a smtp transport (in master.cf) for every virtual domain that each
has its own header_checks with a pcre map ensuring the From header field
address is right.
Then sent a sender_dependent_default_transport_maps for each virtual domain to
the transport with the header checks.
> I know it's not really a dkim issue, but you might have dealt with the
> situation before. Using Postfix I have thought about restricting sender
> addresses to the sasl authenticated username, but that would kill the
> feature where you can set up multiple identities in your MUA for all
> your aliases.
not quite. here's a solution smtpd_sender_login_maps. It doesn't fix From
header fields but can be used with the ideas above.
$ postmap -q lists-admin mysql:/etc/postfix/mysql-maps-aliases.cf
christopher,daniel
This maps-alias maps it such that christopher and daniel can send as the alias
lists-admin
so:
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-sender-login-maps.cf
proxy:mysql:/etc/postfix/mysql-maps-aliases.cf
smtpd_restriction_classes = permit_out
permit_out = permit_mynetworks
permit_tls_clientcerts
reject_non_fqdn_sender
reject_authenticated_sender_login_mismatch
permit_sasl_authenticated
smtpd_sender_restrictions =
permit_out
reject_unknown_sender_domain
check_sender_access hash:/etc/postfix/sender_access
permit
also the following is useful:
smtpd_sasl_authenticated_header = yes
> Not to mention that we have some internal hosts for which we do not
> require authentication (such as webservers).
you could set them up with a sasl client auth. It depends if you've got
control over forgery on those servers.
> Thanks for your advice
> Jos.
Received on Sat May 29 2010 - 02:28:47 PST