Discussion:
RFE: A general identity to sender mapping
(too old to reply)
Patrick Ben Koetter
2011-05-30 13:16:45 UTC
Permalink
Wietse,

we've already discussed this once and I would like to catch up on the idea to
expand SASL login to sender mapping to a more general identity to sender
mapping.

Status Quo
Postfix currently supports SASL login name to envelope sender mapping in order
to control which SASL login name may use a particular envelope sender address.

Goal
I suggest to open this mapping to a more generic context where also TLS client
certificate fingerprints and TLS client public key fingerprints may be used to
associate them with an envelope sender address.

The map logic as well as the restrictions to enforce usage identity to
envelope sender are already in place, but their names are specific to SASL
login names.

I propose we add functionality to identify clients by TLS client
certificate fingerprints and TLS client public key fingerprints and
additionally change the SASL login specific names to a more generic form that
makes them recognizable in a wider context.

I've used existing documentation to demonstrate how these names could change
(see attached smtpd_identity_sender_mapping.txt) and what their purpose would
be. Whenever I changed an options name I've put the old on in square brackets
behind the new name.

Additionally I suggest I'd write documentation that extracts relevant parts
from TLS_README and SASL_README and brings them together in a new
IDENTITY_README.

***@rick

P.S.
In an even wider scope it might be interesting to map a client IP address to a
sender name. One could restrict a satellite server to e.g. use only
***@satellite as envelope sender limiting it to something cron messages only.
Not sure if this is a real good feature, but it fits in the context of mapping
an identity to a sender name.
--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Victor Duchovni
2011-05-31 14:23:59 UTC
Permalink
Post by Patrick Ben Koetter
Status Quo
Postfix currently supports SASL login name to envelope sender mapping in order
to control which SASL login name may use a particular envelope sender address.
Note, there is only an "inverse" mapping, from sender address to a list
of SASL logins. There is no mapping with SASL login names as keys.
Post by Patrick Ben Koetter
The map logic as well as the restrictions to enforce usage identity to
envelope sender are already in place, but their names are specific to SASL
login names.
Specifically, we have: smtpd_sender_login_maps
Post by Patrick Ben Koetter
smtpd_identity_sender_maps (default: $smtpd_login_sender_maps)
The default value is not an existing parameter. I think you mean:

smtpd_sender_identity_maps (default: $smtpd_sender_login_maps)

Otherwise, this looks doable, modulo fine-tuning the specific parameter
names.
--
Viktor.
Patrick Ben Koetter
2011-06-01 14:40:20 UTC
Permalink
Post by Victor Duchovni
Post by Patrick Ben Koetter
Status Quo
Postfix currently supports SASL login name to envelope sender mapping in order
to control which SASL login name may use a particular envelope sender address.
Note, there is only an "inverse" mapping, from sender address to a list
of SASL logins. There is no mapping with SASL login names as keys.
Yes, I got that wrong.
Post by Victor Duchovni
Post by Patrick Ben Koetter
The map logic as well as the restrictions to enforce usage identity to
envelope sender are already in place, but their names are specific to SASL
login names.
Specifically, we have: smtpd_sender_login_maps
Post by Patrick Ben Koetter
smtpd_identity_sender_maps (default: $smtpd_login_sender_maps)
smtpd_sender_identity_maps (default: $smtpd_sender_login_maps)
Same here. :/
Post by Victor Duchovni
Otherwise, this looks doable, modulo fine-tuning the specific parameter
names.
That's great news. What do you think about the idea to create another mapping
from envelope senders to IP addresses? It fits into the scheme of identity
mapping, but is it useful?

***@rick
--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Victor Duchovni
2011-06-01 14:54:04 UTC
Permalink
Post by Patrick Ben Koetter
Post by Victor Duchovni
Otherwise, this looks doable, modulo fine-tuning the specific parameter
names.
That's great news. What do you think about the idea to create another mapping
from envelope senders to IP addresses? It fits into the scheme of identity
mapping, but is it useful?
I am not a big fan of this. At the very least this would need to map
to a list of CIDR blocks, rather than single IP addresses, but I don't
see much point. An IP address is not an identity IMHO, a client should
authenticate with SASL when access is selective.
--
Viktor.
Wietse Venema
2011-06-01 15:00:42 UTC
Permalink
Post by Victor Duchovni
Post by Patrick Ben Koetter
Post by Victor Duchovni
Otherwise, this looks doable, modulo fine-tuning the specific parameter
names.
That's great news. What do you think about the idea to create another mapping
from envelope senders to IP addresses? It fits into the scheme of identity
mapping, but is it useful?
I am not a big fan of this. At the very least this would need to map
to a list of CIDR blocks, rather than single IP addresses, but I don't
see much point. An IP address is not an identity IMHO, a client should
authenticate with SASL when access is selective.
I agree: a sender is not an IP address. We use authentication to
get positive evidence about who or what is sending email.

Whitelisting by IP address is OK for postscreen, because that is
merely a filter that decides if one can talk to Postfix at all.

Wietse
Patrick Ben Koetter
2011-10-29 19:18:56 UTC
Permalink
Post by Victor Duchovni
Post by Patrick Ben Koetter
Status Quo
Postfix currently supports SASL login name to envelope sender mapping in order
to control which SASL login name may use a particular envelope sender address.
Note, there is only an "inverse" mapping, from sender address to a list
of SASL logins. There is no mapping with SASL login names as keys.
Post by Patrick Ben Koetter
The map logic as well as the restrictions to enforce usage identity to
envelope sender are already in place, but their names are specific to SASL
login names.
Specifically, we have: smtpd_sender_login_maps
Post by Patrick Ben Koetter
smtpd_identity_sender_maps (default: $smtpd_login_sender_maps)
smtpd_sender_identity_maps (default: $smtpd_sender_login_maps)
Otherwise, this looks doable, modulo fine-tuning the specific parameter
names.
I can't program. Also given Wietse recent writing he'd rather not accept
patches than write the code himself I'd like to ask if there's interest and
time to add the above mentioned functionality before Postfix 2.9 will be
released.

I still would write documentation that extracts relevant parts from TLS_README
and SASL_README and bring those together in a new IDENTITY_README.

Given my current workload I could start working on my part early December.

***@rick
--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Loading...