Loading ...
Sorry, an error occurred while loading the content.

greets & howto local smtp + remote sasl smtp

Expand Messages
  • Dan Farrell
    hi list, I have been using postfix for about a year now to host my own mail, and have never been able to configure remote SASL SMTP authentication on my mail
    Message 1 of 9 , Feb 1, 2008
    • 0 Attachment
      hi list,

      I have been using postfix for about a year now to host my own mail, and
      have never been able to configure remote SASL SMTP authentication on my
      mail server. My desired configuration would

      1 allow any mail sent from local networks through
      2 allow any mail sent from an authorized smtp connection through
      3 allow any mail sent to a destination or relay domain through
      4 reject all other mail (of course!)

      right now I have all but #2. I can send mail from local hosts just
      fine, but I cannot send mail from remote locations.

      My hope is that someone on the list could kindly point me in the right
      direction.

      Thanks in advance for any assistance,

      Dan Farrell

      I have in my main.cf (complete file attached, sans comments):

      smtpd_sasl_auth_enable = yes
      smtpd_sasl_path = smtpd
      broken_sasl_auth_clients = yes
      smtpd_client_restrictions =
      permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
      smtpd_sender_restrictions =
      permit_mynetworks,permit_sasl_authenticated,reject_unknown_address,permit

      however, although authentication succeeds from remote hosts, I still
      cannot seem to send mail to any but local recipients from remote
      hosts. A telnet transcript from within and without follows:

      within:
      =================
      dan@pascal ~ $ telnet spore.ath.cx 25
      Trying 192.168.1.87...
      Connected to spore.ath.cx.
      Escape character is '^]'.
      220 spore.ath.cx ESMTP Postfix (2.4.5)
      ehlo pascal
      250-spore.ath.cx
      250-PIPELINING
      250-SIZE 10240000
      250-VRFY
      250-ETRN
      250-AUTH LOGIN PLAIN
      250-AUTH=LOGIN PLAIN
      250-ENHANCEDSTATUSCODES
      250-8BITMIME
      250 DSN
      mail from: dan@...
      250 2.1.0 Ok
      rcpt to: danf@...
      250 2.1.5 Ok
      quit
      Connection closed by foreign host.


      And without:
      ==========================

      dan@hilbert:~$ telnet 66.191.143.114 26
      Trying 66.191.143.114...
      Connected to 66.191.143.114.
      Escape character is '^]'.
      220 spore.ath.cx ESMTP Postfix (2.4.5)
      EHLO hilbert.merseine.nu
      250-spore.ath.cx
      250-PIPELINING
      250-SIZE 10240000
      250-VRFY
      250-ETRN
      250-AUTH LOGIN PLAIN
      250-AUTH=LOGIN PLAIN
      250-ENHANCEDSTATUSCODES
      250-8BITMIME
      250 DSN
      AUTH PLAIN ***************= (obfuscated for security)
      235 2.0.0 Authentication successful
      MAIL FROM: dan@...
      250 2.1.0 Ok
      RCPT TO: danf@...
      554 5.7.1 <danf@...>: Relay access denied
    • Victor Duchovni
      ... http://www.postfix.org/SASL_README.html ... The smtpd_client_restrictions setting should instead be an smtpd_recipient_restrictions setting (with the
      Message 2 of 9 , Feb 1, 2008
      • 0 Attachment
        On Fri, Feb 01, 2008 at 01:27:20PM -0600, Dan Farrell wrote:

        >
        > hi list,
        >
        > I have been using postfix for about a year now to host my own mail, and
        > have never been able to configure remote SASL SMTP authentication on my
        > mail server. My desired configuration would
        >
        > 1 allow any mail sent from local networks through
        > 2 allow any mail sent from an authorized smtp connection through
        > 3 allow any mail sent to a destination or relay domain through
        > 4 reject all other mail (of course!)
        >
        > right now I have all but #2. I can send mail from local hosts just
        > fine, but I cannot send mail from remote locations.
        >
        > My hope is that someone on the list could kindly point me in the right
        > direction.
        >

        http://www.postfix.org/SASL_README.html

        > smtpd_sasl_auth_enable = yes
        > smtpd_sasl_path = smtpd
        > broken_sasl_auth_clients = yes
        > smtpd_client_restrictions =
        > permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
        > smtpd_sender_restrictions =
        > permit_mynetworks,permit_sasl_authenticated,reject_unknown_address,permit
        >

        The "smtpd_client_restrictions" setting should instead be an
        smtpd_recipient_restrictions setting (with the same value).

        --
        Viktor.

        Disclaimer: off-list followups get on-list replies or get ignored.
        Please do not ignore the "Reply-To" header.

        To unsubscribe from the postfix-users list, visit
        http://www.postfix.org/lists.html or click the link below:
        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

        If my response solves your problem, the best way to thank me is to not
        send an "it worked, thanks" follow-up. If you must respond, please put
        "It worked, thanks" in the "Subject" so I can delete these quickly.
      • Floyd Arguello
        ... http://www.postfix.org/SASL_README.html smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination Good luck,
        Message 3 of 9 , Feb 1, 2008
        • 0 Attachment
          Dan Farrell wrote:
          > hi list,
          >
          > I have been using postfix for about a year now to host my own mail, and
          > have never been able to configure remote SASL SMTP authentication on my
          > mail server. My desired configuration would
          >
          > 1 allow any mail sent from local networks through
          > 2 allow any mail sent from an authorized smtp connection through
          > 3 allow any mail sent to a destination or relay domain through
          > 4 reject all other mail (of course!)
          >
          > right now I have all but #2. I can send mail from local hosts just
          > fine, but I cannot send mail from remote locations.
          >
          > My hope is that someone on the list could kindly point me in the right
          > direction.
          >
          > Thanks in advance for any assistance,
          >
          > Dan Farrell
          >
          > I have in my main.cf (complete file attached, sans comments):
          >
          > smtpd_sasl_auth_enable = yes
          > smtpd_sasl_path = smtpd
          > broken_sasl_auth_clients = yes
          > smtpd_client_restrictions =
          > permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
          > smtpd_sender_restrictions =
          > permit_mynetworks,permit_sasl_authenticated,reject_unknown_address,permit

          http://www.postfix.org/SASL_README.html

          smtpd_recipient_restrictions =
          permit_mynetworks
          permit_sasl_authenticated
          reject_unauth_destination

          Good luck,
          Floyd
        • Dan Farrell
          On Fri, 1 Feb 2008 14:33:07 -0500 ... This was indeed the problem. Thanks, Victor.
          Message 4 of 9 , Feb 1, 2008
          • 0 Attachment
            On Fri, 1 Feb 2008 14:33:07 -0500
            Victor Duchovni <Victor.Duchovni@...> wrote:

            > The "smtpd_client_restrictions" setting should instead be an
            > smtpd_recipient_restrictions setting (with the same value).
            >

            This was indeed the problem. Thanks, Victor.
          • Dan Farrell
            On Fri, 01 Feb 2008 12:45:03 -0700 ... Thanks floyd. Luck was indeed good with me after noticing my mistake here; using smtpd_client_res.. rather than
            Message 5 of 9 , Feb 1, 2008
            • 0 Attachment
              On Fri, 01 Feb 2008 12:45:03 -0700
              Floyd Arguello <floyd.lists@...> wrote:

              > smtpd_recipient_restrictions =
              > permit_mynetworks
              > permit_sasl_authenticated
              > reject_unauth_destination
              >
              > Good luck,
              > Floyd
              >

              Thanks floyd. Luck was indeed good with me after noticing my mistake
              here; using smtpd_client_res.. rather than smtpd_recipient_res.. solved
              the problem nicely.

              thanks again! - df
            • mouss
              ... wouldn t it be nice to make permit_sasl_authenticated part of the default settings? and while I am in, wouldn t it be good to allow
              Message 6 of 9 , Feb 1, 2008
              • 0 Attachment
                Victor Duchovni wrote:
                > The "smtpd_client_restrictions" setting should instead be an
                > smtpd_recipient_restrictions setting (with the same value).
                >
                >

                wouldn't it be nice to make permit_sasl_authenticated part of the
                default settings?
                and while I am in, wouldn't it be good to allow
                smtpd_recipient_restrictions=
                to mean the default builtin setup?
              • Victor Duchovni
                ... Perhaps so, because smtpd_sasl_auth_enable = no is still the default. So one would have to enable SASL auth first to accidentally allow SASL users to
                Message 7 of 9 , Feb 1, 2008
                • 0 Attachment
                  On Fri, Feb 01, 2008 at 11:04:23PM +0100, mouss wrote:

                  > wouldn't it be nice to make permit_sasl_authenticated part of the
                  > default settings?

                  Perhaps so, because "smtpd_sasl_auth_enable = no" is still the default.
                  So one would have to enable SASL auth first to accidentally allow SASL
                  users to relay by accident without first weeding out insecure logins, ...

                  Not sure whether the small convenience is worth the incompatibility.

                  > and while I am in, wouldn't it be good to allow
                  > smtpd_recipient_restrictions=
                  > to mean the default builtin setup?

                  Absolutely not. To use a default value, delete the setting from main.cf.

                  --
                  Viktor.

                  Disclaimer: off-list followups get on-list replies or get ignored.
                  Please do not ignore the "Reply-To" header.

                  To unsubscribe from the postfix-users list, visit
                  http://www.postfix.org/lists.html or click the link below:
                  <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                  If my response solves your problem, the best way to thank me is to not
                  send an "it worked, thanks" follow-up. If you must respond, please put
                  "It worked, thanks" in the "Subject" so I can delete these quickly.
                • Alexey Lobanov
                  Hello. ... Maybe not. Please read http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK2669 and http://dsbl.org/relay-methods#SMTPAUTHrelaying You need a
                  Message 8 of 9 , Feb 2, 2008
                  • 0 Attachment
                    Hello.

                    02.02.2008 01:04, mouss пишет:

                    > wouldn't it be nice to make permit_sasl_authenticated part of the
                    > default settings?

                    Maybe not. Please read
                    http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK2669 and
                    http://dsbl.org/relay-methods#SMTPAUTHrelaying

                    You need a really effective password strength enforcement policy before
                    enabling permit_sasl_authenticated.

                    Alexey
                  • mouss
                    ... sure, but this doesn t work in master.cf. anyway, this is not important.
                    Message 9 of 9 , Feb 2, 2008
                    • 0 Attachment
                      Victor Duchovni wrote:
                      > On Fri, Feb 01, 2008 at 11:04:23PM +0100, mouss wrote:
                      >
                      >
                      >> wouldn't it be nice to make permit_sasl_authenticated part of the
                      >> default settings?
                      >>
                      >
                      > Perhaps so, because "smtpd_sasl_auth_enable = no" is still the default.
                      > So one would have to enable SASL auth first to accidentally allow SASL
                      > users to relay by accident without first weeding out insecure logins, ...
                      >
                      > Not sure whether the small convenience is worth the incompatibility.
                      >
                      >
                      >> and while I am in, wouldn't it be good to allow
                      >> smtpd_recipient_restrictions=
                      >> to mean the default builtin setup?
                      >>
                      >
                      > Absolutely not. To use a default value, delete the setting from main.cf.
                      >
                      >

                      sure, but this doesn't work in master.cf. anyway, this is not important.
                    Your message has been successfully submitted and would be delivered to recipients shortly.