Hello,
On Mon, Feb 19, 2007 at 06:10:33PM +0100, Peter Velan wrote:
> am 19.02.2007 16:45 schrieb David Woodhouse:
> > On Mon, 2007-02-19 at 15:06 +0100, Peter Velan wrote:
> >> all users which are allowed to send via our MTA must authenticate first.
> >>
> >> Could I block any non-authenticated senders (forging envelope from like
> >> "*@ourdomain-#.tld") with the following construction?
> >>
> >> ...
> >> acl_smtp_rcpt = acl_check_rcpt
> >> ...
> >> begin acl
> >> acl_check_rcpt:
> >> ...
> >> accept authenticated = *
> >>
> >> deny !authenticated = *
> >> senders = *@*.ourdomain-1.tld:*@*.ourdomain-2.tld
> >> ...
> >>
> >> Should I be aware of any side effects?
> >
> > You'll be rejecting any mail which is forwarded to one of your users,
> > but which also originated from one of your users.
>
> How that? If one of my users is forwarding with his mailclient than he
> must authenticate before.
If the forwarding server is not your server, the sender will receive a
bounce mail.
In more detail:
- your user sends a mail using SMTP AUTH via your mail server to an
external address
- the mail server responsible for this domain forwards the mail to
some recipients including the original sender
- your mail server in turn rejects the forwarded mail because it was
not sent via SMTP AUTH
- your user will receive an error mail from the forwarding mail server
I would stongly recommend not to implement this kind of blocking.
--
Gruss / Best regards | LF.net GmbH | fon +49 711 90074-411
Matthias Waffenschmidt | Ruppmannstr. 27 | fax +49 711 90074-33
mw@??? | D-70565 Stuttgart | http://www.lf.net
