Restricting SMTP Relay (To) Domains #393

sniper9191 · 2024-05-02T09:13:45Z

sniper9191
May 2, 2024

I am using Stalwart as a SMTP relay, with LDAP authentication.
The relay works fine, however, I want to configure who can relay to non-local domains, and need some help here.

I believe this can be done via the settings for the RECP TO Stage -

Do I need to specify the Directory? (or I can just specify the "local" domain explicitly in the settings below?)
Within the Allow Relaying settings, how should I specify the settings, such that -

if the authenticated sender is member of a certain LDAP group, allow relay (i.e. this will allow relay on any domain, including non-local domains)
(else) if the authenticated sender is not a member of a certain LDAP group, and the recipient is from the local domain (or a specific domain), allow relay (i.e. this will allow relay to the local domain only)
(else) if the authenticated sender is XYZ, and the recipient domain is a specific non-local domain (i.e. ABC.com), allow relay (i.e. this will allow a user to relay to a specific domain only)
deny the relay if all above cases fail

I would appreciate some examples, that can help me get started with writing the correct syntax for the above settings.

Answered by sniper9191

May 2, 2024

I couldn't find any way to make use of the memberOf LDAP attribute.
However, I no longer needed to do this, so I gave up on it.

For the requirement to "require authentication for senders from any domain, except XYZ.com domain" -
this was tricky, as it was not possible to read the sender_domain before the AUTH stage is completed.
i.e. in order for senders using XYZ.com to be exempted from authentication, they first had to authenticate in order for the server check the sender's domain

I instead had to disable authentication == required at the AUTH stage
and during the next stage, MAIL, I added a script which then checks the envelope:to:domain, and exempts authentication if it is XYZ.com domain

View full answer

sniper9191 · 2024-05-02T20:20:44Z

sniper9191
May 2, 2024
Author

I couldn't find any way to make use of the memberOf LDAP attribute.
However, I no longer needed to do this, so I gave up on it.

For the requirement to "require authentication for senders from any domain, except XYZ.com domain" -
this was tricky, as it was not possible to read the sender_domain before the AUTH stage is completed.
i.e. in order for senders using XYZ.com to be exempted from authentication, they first had to authenticate in order for the server check the sender's domain

I instead had to disable authentication == required at the AUTH stage
and during the next stage, MAIL, I added a script which then checks the envelope:to:domain, and exempts authentication if it is XYZ.com domain

if not envelope :domain :is "from" "XYZ.com" { if eval "is_empty(env.authenticated_as)" { reject ", 5.5.1 Authentication Failed"; stop; } }

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Restricting SMTP Relay (To) Domains #393

{{title}}

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Restricting SMTP Relay (To) Domains #393

sniper9191 May 2, 2024

Replies: 1 comment

sniper9191 May 2, 2024 Author

sniper9191
May 2, 2024

sniper9191
May 2, 2024
Author