Giters

ipcjk / postfixauth

postfixauth(user) limits the access to postfix sendmail-routine and smtp-auth-routine by checking the rate of sent emails in a given time period. Its small and easy to configure.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

/ Copyright © 2018 Jörg Kost, joerg.kost@gmx.com
// License: https://creativecommons.org/licenses/by-nc-sa/4.0/

postfixprotect limits the access to postfix sendmail-routine and
sasl-smtp-auth senders by checking the rate of sent emails in a
given timeperiod.

building)
cd postfixprotect
make

running with defaults)
./postfixprotect -sendmailprotect -saslprotect

command line parameters:
- bind => ip and port for socket
- sendmailprotect => run sendmail
- saslprotect => run sasl protection
- debug => set debug printouts

1.) setup postfix configuration for /usr/sbin/sendmail protection:

You need tell postfix to connect to the socket and ask for the sending permission.
E.g. on my systems I use something like this:

postconf -e "authorized_submit_users = tcp:localhost:8443"
postconf -e "authorized_mailq_users = root, nagios, postfix"
postconf -e "authorized_flush_users = root, nagios, postfix"

This will also limit access to the mailq-commands.

2.) setup postfix configuration for sasl sender protection:

For the sasl protection you need to add a clause with host and port to your
restriction limits, e.g.

smtpd_recipient_restrictions = check_policy_service inet:[127.0.0.1]:9443, ...

3.) central usage)

postfixprotect can run on a central network machine and therefore will build a
map with a key concating the user-name and the clients ip addresses.

background)
The program currently does not daemonize itself, so you may want start it
with nohup, a systemd starter file, screen, supervisord.

It is also lazy and only purges old map entries, when the user is sending more
mails.

try out sendmail, protection)
web87@my01:~$ /usr/sbin/sendmail -t jk@myself
web87@my01:~$ /usr/sbin/sendmail -t jk@myself
web87@my01:~$ /usr/sbin/sendmail -t jk@myself
web87@my01:~$ /usr/sbin/sendmail -t jk@myself
web87@my01:~$ /usr/sbin/sendmail -t jk@myself
web87@my01:~$ /usr/sbin/sendmail -t jk@myself
postdrop: fatal: User web87(1467) is not allowed to submit mail
mail.log:
Jun 20 07:45:12 my01 postfix/postdrop[5611]: fatal: User web87(1431) is not allowed to submit mail

try out sasl protection)
echo -e  "request=smtp\nsasl_username=web1\n" | nc localhost 9443
200 OK (1)
echo -e  "request=smtp\nsasl_username=web1\n" | nc localhost 9443

About

postfixauth(user) limits the access to postfix sendmail-routine and smtp-auth-routine by checking the rate of sent emails in a given time period. Its small and easy to configure.

Languages

Language:Go 100.0%