I have a simple postfix installation on RedHat that's been running fine for years and uses TLS/saslauthd/PAM to allow users to authenticate to relay mail from the external network. All users are local linux accounts, so the saslauthd method using PAM has worked well in general.
There are several local accounts that are not used for login by users and have the shell set to /sbin/nologin, but these accounts are still exposed via SMTP via saslauthd. I have not found any obvious method for providing a list of accounts to saslauthd that should be denied authentication. Basically, I'm looking for a way to whitelist or blacklist user accounts so that they are always denied SMTP relay permission. I don't want all existing local accounts to be allowed to relay mail, only those that I choose. Is there a convenient way to do this without a major change to my current authentication chain?
Best Answer
One way would be to use pam_listfile and make it deny users listed in some text file you provide to it.