From kolab-users Wed Feb 15 18:21:39 2006 From: Adam Tworkowski Date: Wed, 15 Feb 2006 18:21:39 +0000 To: kolab-users Subject: Re: Forged header detection and selective filtering (Postfix help Message-Id: <1140027699.8509.26.camel () atworkowski-ubuntu> X-MARC-Message: https://marc.info/?l=kolab-users&m=117347243411909 I am trying to allow certain email addresses using my local domain (say fakeuser@domain.com) to send mail from remote networks to valid local users (i.e.realuser@domain.com). Basically I am trying to poke a hole in Kolab's UCE policy on a per sender basis through Postfix. I am adding the senders address to /kolab/etc/postfix access (which is otherwise empty and mapping it with /kolab/sbin/postmap access. | fakeuser@domain.com OK I am then changing the following line in Postfix's main.cf from: smtpd_sender_restrictions = permit_mynetworks, check_policy_service unix:private/kolabpolicy to: smtpd_sender_restrictions = check_sender_access hash:/kolab/etc/postfix/access, permit_mynetworks, check_policy_service unix:private/kolabpolicy When attempting to send mail as the user I get the following (note that I am definitely not on a network local to Postfix): telnet 192.168.1.10 25 Trying 192.168.1.10... Connected to 192.168.1.10. Escape character is '^]'. 220 kolab01.domain.com ESMTP Postfix ehlo hotmail.com 250-kolab01.domain.com 250-PIPELINING 250-SIZE 20971520 250-VRFY 250-ETRN 250-STARTTLS 250 8BITMIME MAIL FROM: fakeuser@domain.com 250 Ok RCPT TO: realuser@domain.com 554 : Sender address rejected: Invalid sender Am I going about this the right way? Is there another filter getting in the way? What am I missing? Also, if an address is not present during the "check_sender_access" check am I expecting it to bail, or move on to permit_mynetworks? Any help would be much appreciated. Thanks. -Adam On Tue, 2006-14-02 at 13:14 -0500, Adam Tworkowski wrote: > Hi, > > Our Kolab server (correctly) detects forged "from" headers so that if > you say you are "user@domain.com" where domain.com is local, and you are > sending from somewhere that is not domain.com and your message is > refused. How would I go about allowing certain "users" to by-pass this > feature so that user1@domain.com can be delivered as if local even > thought the headers are really forged? > > We have a business requirement to accept mail "from" certain "accounts" > that aren't local (affiliate users who we don't necessarily want on our > mail system, as well as some forwarders from an external mail system > via /etc/aliases. > > Thanks in advance. -- Regards, Adam Tworkowski, atworkowski@masterfile.com Systems Administrator, Computer Department Masterfile Corporation, www.masterfile.com ************************************************************************ This email message is intended only for the named recipient(s) above and may contain information that is privileged, confidential, subject to copyright and/or exempt from disclosure under applicable law. You are hereby notified that any unauthorized use of this transmission is strictly prohibited. If you are not the named recipient(s), please immediately notify the sender and delete this email message. ************************************************************************