If you are hosting a sending infrastructure, it may be a good idea to restrict a specific SASL username to a fixed set of sending domains in order to prevent abuse. It could be that you already have users with their sending domain in the SASL username or that you need to look up this information in a external database.
If you want to check if the SASL username domain part matches the sending domain.
if (!$saslauthed) Reject("Authentication Required");
[$localpart, $domain] = explode("@", $saslusername, -2);
if ($domain == $senderdomain)
Accept();
Reject("$saslusername is not allowed to relay for $senderdomain");
If you want to match the SASL username to a one or more domains in a external list
if (!$saslauthed) Reject("Authentication Required");
if ($saslusername == "john.doe" and in_array($senderdomain, ["example.com", "example.net"]))
Accept();
Reject("$saslusername is not allowed to relay for $senderdomain");
This check, can be done in the MAIL FROM context or at any later stage.
Comments
0 comments
Article is closed for comments.