Is there a way to restrict senders access in postfix depending on Active Directory group they're in?

Laskus

7/16/24, 2:44 PM

I have a postfix server setup and it is authenticating against AD with dovecot.

Is there an option to configure it so one user in Group A can send mails as @a.local domain and user from Group B can send mails as @b.local domain?

1 + 0

postfix

active-directory

ldap

dovecot

Score:2

Server

Nikita Kipriyanov

7/16/24, 3:50 PM

Postfix has smtpd_sender_login_maps and reject_sender_login_mismatch for this purpose, though it works other way around: provided envelope sender mail address (which mail client sends in MAIL FROM: protocol command), it asks the map for the list of all SASL logins that are authorized to use this mail address. If authenticated user name happens to be in this list, check is passed, otherwise the error is returned.

This is independent from the authentication method and library; the only thing that links this with authentication is the user name. This is authorization.

You need to design your smtpd_sender_login_maps so it will:

query LDAP (AD)
the dynamic part of the query, %s, will be actually substituted with the sender email address, or, probably, in your case you can assume it is domain part (@domain actually)
query should return the list of SMTP SASL user names that are permitted to send mail with that mail address. To build such list, the query may check the membership of the AD group.

Then, provided you are using a dedicated submission service in the Postfix for receiving mail originating from your users, in that service configuration, set smtpd_sender_restrictions=reject_sender_login_mismatch. In recent Postfix version master.cf typically has smtpd_sender_restrictions=$mua_sender_restrictions for the submission service, so you need to set in the main.cf file:

mua_sender_restrictions = reject_sender_login_mismatch
smtpd_sender_login_maps = ldap:/etc/postfix/ldap-sender-login-maps.cf

where /etc/postfix/ldap-sender-login-maps.cf contains your query and authentication parameters for Postfix in the AD to perform this query.

This LDAP query could be tricky to implement. If this looks too hard for you, consider the following approach:

Write a script (perhaps, PowerShell or anything you are able to use) that can sync AD to some table accessible to Postfix, which will contain the required mapping information. This can use any kind of a table: file, MySQL/MariaDB, etc.
run this script periodically and/or when you know data in AD has changed
use that table in the smtpd_sender_logn_maps instead

Please, read all linked Postfix manual pages twice before asking additional questions. I never implemented this with AD, I only did that with MySQL-based map and it worked very satisfactory.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is there a way to restrict senders access in postfix depending on Active Directory group they're in?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.