I have an “everything” Linux server currently running Slackware 15. Sometimes I need to create users in \/etc\/passwd for some particular use case, but both my Postfix and Dovecot authenticate against \/etc\/passwd to grant access.<\/p>\n\n\n\n
It took a long time to figure out how to get that done. Finally I did it:<\/p>\n\n\n\n
Edit \/etc\/postfix\/master.cf<\/strong>; comment out the original smtpd_recipient_restrictions and smtpd_relay_restrictions; and add new ones like this:<\/p>\n\n\n\n Then edit \/etc\/postifx\/main.cf<\/strong> and add this line:<\/p>\n\n\n\n Create \/etc\/postfix\/sender_access<\/strong> with a regular expression to match the usernames to block:<\/p>\n\n\n\n Don’t forget to do this after creating\/changing sender_access:<\/p>\n\n\n\n If the changes work: this is what you get in the maillog when an unauthorized user attempts to send email:<\/p>\n\n\n\n Great! Now Dovecot needs work too, since its users authenticate differently.<\/p>\n\n\n\n References:<\/p>\n\n\n\n This one was much easier to figure out, but it’s not a wildcard solution, I have to blacklist each user explicitly.<\/p>\n\n\n\n Edit \/etc\/dovecot\/conf.d\/10-auth.conf and comment out !include auth-deny.conf.ext<\/strong><\/p>\n\n\n\n Note that auth-deny.conf.ext uses \/etc\/dovecot\/deny-users<\/p>\n\n\n\n Create \/etc\/dovecot\/deny-users with one blocked username per line. E.g.:<\/p>\n\n\n\n After that the user will simply not be able to authenticate when connecting to the IMAP service. Strangely Dovecot doesn’t put anything in the maillog when this failed authentication happens.<\/p>\n\n\n\n References (unused):<\/p>\n\n\n\n I have an “everything” Linux server currently running Slackware 15. Sometimes I need to create users in \/etc\/passwd for some particular use case, but both my Postfix and Dovecot authenticate against \/etc\/passwd to grant access. It took a long time to figure out how to get that done. Finally I did it: Postfix Edit \/etc\/postfix\/master.cf; … <\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"entry","1":"post","2":"publish","3":"author-andrew","4":"post-1417","6":"format-standard","7":"category-uncategorized"},"_links":{"self":[{"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/posts\/1417","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/comments?post=1417"}],"version-history":[{"count":8,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/posts\/1417\/revisions"}],"predecessor-version":[{"id":1425,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/posts\/1417\/revisions\/1425"}],"wp:attachment":[{"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/media?parent=1417"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/categories?post=1417"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/tags?post=1417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}smtps inet n - n - - smtpd\n -o syslog_name=postfix\/smtps\n -o smtpd_tls_wrappermode=yes\n -o smtpd_sasl_auth_enable=yes\n -o smtpd_reject_unlisted_recipient=no\n -o smtpd_client_restrictions=$mua_client_restrictions\n -o smtpd_helo_restrictions=$mua_helo_restrictions\n -o smtpd_sender_restrictions=$mua_sender_restrictions\n -o milter_macro_daemon_name=ORIGINATING\n -o smtpd_recipient_restrictions=\n -o smtpd_relay_restrictions=$mua_relay_restrictions\n# -o smtpd_recipient_restrictions=\n# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject<\/strong><\/code><\/pre>\n\n\n\n# I made up the \"mua_relay_restrictions\" key, used in master.cf\nmua_relay_restrictions = check_sender_access regexp:\/etc\/postfix\/sender_access, permit_sasl_authenticated, reject<\/strong><\/code><\/pre>\n\n\n\n\/ops145\/ REJECT<\/code><\/pre>\n\n\n\npostmap sender_access<\/code><\/pre>\n\n\n\nMar 15 02:45:02 littlesvr postfix\/smtps\/smtpd[2314]: NOQUEUE: reject: RCPT from unknown[84.239.27.157]: 554 5.7.1 ops145_asmith15@littlesvr.ca<\/a>: Sender address rejected: Access denied; from=ops145_asmith15@littlesvr.ca<\/a> to=external@domain.edited.out proto=ESMTP helo=<[10.6.18.78]><\/code><\/pre>\n\n\n\n\n
Dovecot<\/h2>\n\n\n\n
ops145_asmith15<\/code><\/pre>\n\n\n\n\n