How to restrict SASL login for a user on postfix level?
Overview: We can restrict SASL login for a user on postfix level in Zimbra. Sometime a system administrator needs to block SASL authentication of a user due to various reasons like company policy where web-client is allowed only for some users, account was compromised and spammer is sending spam emails using SASL authentication etc.
Here are the steps to do so.
1. Switch to Zimbra user and open smtpd_sender_restrictions.cf using vim editor.
su - zimbra vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
2. Add this line check_sasl_access lmdb:/opt/zimbra/conf/sasl_access between "permit_mynetworks and permit_sasl_authenticated".
permit_mynetworks, reject_sender_login_mismatch check_sasl_access lmdb:/opt/zimbra/conf/sasl_access_block permit_sasl_authenticated
3. Create sasl_access_block file and add a user which has to be restricted using sasl authentication.
vim /opt/zimbra/conf/sasl_access_block firstname.lastname@example.org REJECT Sorry, you are not allowed to use SMTP SASL authentication.
Note: You may also use other condition like HOLD or DISCARD etc.
4. Save this file and run postmap command.
5. Reload postfix service.
The following logs entries in the zimbra.log and message should be appeared if a restricted user tries to send an email using SASL authentication.
Log lines from zimbra.log
Oct 5 14:00:33 proxy postfix/smtps/smtpd: NOQUEUE: reject: RCPT from unknown[172.16.7.222]: 554 5.7.1 <email@example.com>: SASL login name rejected: Sorry, you are not allowed to use SMTP SASL authentication.; from=<firstname.lastname@example.org> to=<email@example.com> proto=ESMTP helo=<PNQWB7S2PRKUMA>Rejected
The following sample email is received by restricted user.
|Submitted by: Prabhat Kumar|