Coder Social home page Coder Social logo

chango-postfix-policy's Introduction

chango-postfix-policy

Postfix custom policy to check authenticated user membership within an Active Directory group before allowing to send email.

It reads sasl_username attribute and checks against Active Directory if the user is member of the configured AD group

Prerequisites

  1. Python +3.5
  2. Postfix server must already be added in Active Directory (either with SSSD or Samba)
  3. getent command should be present and functional in postfix server. getent group someADgroup should respond current members.

Initial Config

  1. Download script git clone https://github.com/changoz/chango-postfix-policy.git /opt/chango-postfix-policy

  2. Execute: whereis python. If applicable, replace python path at py scripts first line #!/usr/bin/python3.9

  3. Replace Active Directory group to search for, at py script line 11. Note that the group should'nt have realm nor domain (i.e.: 'managers')

adgroup = 'group_without_realm'

  1. Check the script output before applying postfix configuration. Execute at shell echo sasl_username=user_to_test | /opt/chango-postfix-policy/chango-policy.py It should reply with action=dunno or action=rejected. Depends on user and AD group user.

  2. Folder permissions: chown nobody /opt/chango-postfix-policy

Postfix configuration

1) master.cf

as tcp Listener

/etc/postfix/master.cf:

127.0.0.1:9998  inet  n       n       n       -       0       spawn
     user=nobody argv=/opt/chango-postfix-policy/chango-policy.py

2) main.cf

as tcp Listener

/etc/postfix/main.cf:

smtpd_recipient_restrictions =
       ...
       reject_unauth_destination
       check_policy_service inet:127.0.0.1:9998
       ...

Troubleshooting

  1. Enable verbose at postfix main.cf to get detailed logs. Python error trace should be logged at /var/log/maillog. Read [Postfix Oficial Verbose Logging] (http://www.postfix.org/DEBUG_README.html)

  2. Wrong python identation. Use autopep8 to format chango-policy.py script: autopep8 -i chango-policy.py

  3. Test email by using command line with openssl s_client -starttls smtp -ign_eof -crlf -connect your_server:25

EHLO server
AUTH LOGIN
base64 ad_user_login_without_realm (enter)
base65 ad_user_password (enter)
mail from: [email protected]
rcpt to: [email protected]
data
subject: some subject
test
.

Extras

chango-postfix-policy's People

Contributors

changoz avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.