Conditional SASL authentication

Reindl Harald h.reindl at thelounge.net
Tue Feb 24 19:05:35 UTC 2015



Am 24.02.2015 um 19:48 schrieb Adrian Minta:
> On 24.02.2015 20:40, Reindl Harald wrote:
>>
>>
>> Am 24.02.2015 um 19:37 schrieb Adrian Minta:
>>> On 24.02.2015 20:29, Reindl Harald wrote:
>>>>
>>>> don't allow senders which you would not receive mail for - period
>>>>
>>> Seems interesting, at least until the bots adapt to this.
>>> Any idea how could this be implemented?
>>
>> with the configuration i have posted in that thread?
>>
>> for me that was a prerequisite before even consider put my first
>> mailserver setup on a public IP and that's enforced even on any
>> webserver here by shared database tables
>
> Ups ... sorry, reject_authenticated_sender_login_mismatch from
> smtpd_sender_restrictions ofc.
> I was thinking about not accepting mails from users/ip witch don't do a
> least one pop3 or imap read before sending

pop-before-smtp was a completly broken idea 15 years ago and is now much 
more after having a ton of clients behind carrier-grade NAT (mobile 
devices and all that stuff)

* implement SMTP auth properly
* enforce SMTP auth unconditionally
* don't allow foreign sender domains

if you can't do that 3 things don't run a public mailserver

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150224/72d05401/attachment.sig>


More information about the dovecot mailing list