On February 2, 2010 10:05:47 PM +0100 Edgar Fuß <ef@math.uni-bonn.de> wrote:

I would like deliver to reject certain users. Since supposedly deliver only uses userdb, not passwd, I can't use deny=yes for that. Or does userdb support deny=yes?

According to the docs, it doesn't. So you'd have to remove them from the userdb. You didn't say what type of userdb you are using so hard to say how hard that would be.

Yes, I should rather reject them right in the MTA, but that currently takes too long to implement. Or how to reject gast* in postfix using nss authentication?

That depends on the system you are using (different nss support in different systems) and what the nss backend is. But, if you are using nss_ldap, it might allow you to construct a search filter to exclude those users. Or you might put an ACL on your LDAP server to not return the entries for those users to your MTA (or perhaps to anyone).

-frank

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Tue, 2 Feb 2010, Edgar Fuß wrote:

Yes, I should rather reject them right in the MTA, but that currently takes too long to implement. Or how to reject gast* in postfix using nss authentication?

http://ixquick.com/do/metasearch.pl?query=postfix+access+map+reject

http://www.securityfocus.com/infocus/1598

"Recipient Restrictions Our last restriction is based on the message recipient (again, the address listed in the 'RCPT TO' SMTP dialog, not the 'To:' address). The recipient restrictions are similar to the sender restrictions, namely reject_known_recipient_domain, reject_non_fqdn_recipient, and check_recipient_access, and they work in the same manner. Thus, you could include the following options in addition to any you already have: smtpd_recipient_restriction = (other restrictions here) check_recipient_access maptype:mapname, reject_non_fqdn_recipient, reject_unknown_recipient_domain "

http://www.postfix.org/access.5.html

or alias the GAST-accounts to something non-existing, e.g.

gast01: "|exit 67"

http://www.postfix.org/aliases.5.html

Regards,

Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBS2l0Dr+Vh58GPL/cAQKYBQgAg8q8lVzTIH3Hx49Ta9qXpx1o+epvBxdf tIqhfkIG1NHny6IyuExFy4rHctSiTq2/yMzXKmYLYnZGdn1NRqO4mje9HNhNcL5i t6ZLun+4iv0oWI4FVLkyykca87huSf4xqFJhUAHp5chiqc+o1zadpkRCAf5dWODv 2fcpkF9EUfVcw525JE2ooS/oNEWGZQacVu6RasyUUVf0rayMeWJ3Cr0Niq51rtAq 2uw/FUnc0tz+TYjbV3jKS+qx/kKOupBuM2np9x3ByGwUno+0s9DKBQ2AGbD8WcOK 4AinB8xGKKltpbM35zxxZPMgLDDtkuvJgjggfE9jmdebws8/SCzixw== =tjYe -----END PGP SIGNATURE-----