If you are hosting a sending infrastructure, it may be a good idea to restrict a specific SASL username to a fixed set of sending domains in order to prevent abuse. It could be that you already have users with their sending domain in the SASL username or that you need to look up this information in a external database. The following checks can be done in the MAIL FROM context or at any later stage.
If you want to check if the SASL username domain part matches the sending domain
$saslauthed = isset($connection["auth"]);
if (!$saslauthed) Reject("Authentication Required");
$saslusername = $connection["auth"]["username"];
$senderdomain = $arguments["address"]["domain"]; // Use $transaction["senderaddress"]["domain"] in later stages
[$localpart, $domain] = str_split($saslusername, "@", -2);
if ($domain == $senderdomain)
Accept();
Reject("$saslusername is not allowed to relay for $senderdomain");
If you want to match the SASL username to one or more domains in a external list
$saslauthed = isset($connection["auth"]);
if (!$saslauthed) Reject("Authentication Required");
$saslusername = $connection["auth"]["username"];
$senderdomain = $arguments["address"]["domain"]; // Use $transaction["senderaddress"]["domain"] in later stages
if ($saslusername == "john.doe" and array_includes($senderdomain, ["example.com", "example.net"]))
Accept();
Reject("$saslusername is not allowed to relay for $senderdomain");
Comments
0 comments
Article is closed for comments.