How to restrict SASL login for a user on postfix level?
How to restrict SASL login for a user on postfix level in Zimbra? Sometime a system administrator needs to block SASL authentication of a user due to various reasons like company policy where web-client is allowed only for some users, account was compromised and spammer is sending spam emails using SASL authentication etc.
Here are the steps to do so.
1. Switch to Zimbra user and open smtpd_sender_restrictions.cf using vim editor.
su - zimbra vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
2. Add this line check_sasl_access lmdb:/opt/zimbra/conf/sasl_access between "permit_mynetworks and permit_sasl_authenticated".
permit_mynetworks, reject_sender_login_mismatch check_sasl_access lmdb:/opt/zimbra/conf/sasl_access_block permit_sasl_authenticated
3. Create sasl_access_block file and add a user which has to be restricted using sasl authentication.
vim /opt/zimbra/conf/sasl_access_block firstname.lastname@example.org REJECT Sorry, you are not allowed to use SMTP SASL authentication.
Note: Other conditions can be also used like HOLD or DISCARD etc.
4. Save this file and run postmap command.
5. Reload postfix service.
The following logs entries in the zimbra.log show up and a message should be appeared if a restricted user tries to send an email using SASL authentication.
Log lines from zimbra.log
Oct 5 14:00:33 proxy postfix/smtps/smtpd: NOQUEUE: reject: RCPT from unknown[172.16.7.222]: 554 5.7.1 <email@example.com>: SASL login name rejected: Sorry, you are not allowed to use SMTP SASL authentication.; from=<firstname.lastname@example.org> to=<email@example.com> proto=ESMTP helo=<PNQWB7S2PRKUMA>Rejected
|Submitted by: Prabhat Kumar|