Loading ...
Sorry, an error occurred while loading the content.

allow sasl authenticated on submission port and bypass rbl

Expand Messages
  • Nick Sharp
    Hi all, Since adding check_sender_access to stop our domain from emailing unauthed from the outside and our Wireless Broadband now being in the
    Message 1 of 9 , Aug 3, 2009
    • 0 Attachment
      Hi all,

      Since adding check_sender_access to stop our domain from emailing unauthed
      from the outside and our Wireless Broadband now being in the
      pbl.spamhaus.org list, we want to allow TLS/SASL Auth'd users to email from
      their broadband cards and get them bypassing the rbl's, ie RBL checks on
      port 25 without auth, no rbl checks on 587 but reject those not
      authenticated.

      I thought I could just overwrite smtpd restrictions from main.cf with
      additional rules in master.cf and get it working, but all combinations I
      have tried have failed.

      Do I have to move main.cf smtpd_(client|recipient|sender)_restrictions into
      master.cf under smtp and then use the alternative restrictions under the
      submission port? If so I wonder what else will loose restriction options.

      I am pretty sure that I can whitelist their subnet, but I must be able to
      bypass the rbl checks for any auth'ed user on port 587.

      Any suggestions gratefully received.

      The error I seem to get if its not the rbl error;
      Aug 3 15:39:14 mail1 postfix/smtpd[25528]: NOQUEUE: reject: CONNECT from
      unknown[58.171.177.107]: 554 5.7.1 <unknown[58.171.177.107]>: Client host
      rejected: Access denied; proto=SMTP


      master.cf;
      smtp inet n - - - 50 smtpd
      -o cleanup_service_name=pre-cleanup
      -o content_filter=procmail:filter
      #submission inet n - - - - smtpd
      # -o smtpd_enforce_tls=yes
      # -o smtpd_sasl_auth_enable=yes
      # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      smtps inet n - n - - smtpd
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      #628 inet n - - - - qmqpd
      587 inet n - n - - smtpd
      -o smtpd_enforce_tls=yes
      -o smtpd_sasl_auth_enable=yes
      #tried various combinations of these 3 (with and without reject)
      # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
      # -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
      pickup fifo n - - 60 1 pickup
      cleanup unix n - - - 0 cleanup
      -o mime_header_checks=
      -o nested_header_checks=
      -o body_checks=
      -o header_checks=
      qmgr fifo n - n 300 1 qmgr
      #qmgr fifo n - - 300 1 oqmgr
      tlsmgr unix - - n 300 1 tlsmgr
      rewrite unix - - - - - trivial-rewrite
      bounce unix - - - - 0 bounce
      defer unix - - - - 0 bounce
      trace unix - - - - 0 bounce
      verify unix - - - - 1 verify
      flush unix n - - 1000? 0 flush
      proxymap unix - - n - - proxymap
      smtp unix - - - - - smtp
      # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
      relay unix - - - - - smtp
      -o fallback_relay=
      # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
      showq unix n - - - - showq
      error unix - - - - - error
      discard unix - - - - - discard
      local unix - n n - - local
      virtual unix - n n - - virtual
      lmtp unix - - - - - lmtp
      anvil unix - - - - 1 anvil
      scache unix - - - - 1 scache

      #Vacation Handler
      #vacation unix - n n - - pipe
      # flags=Rhu user=vacation argv=/var/spool/vacation/vacation.pl

      #Procmail
      procmail unix - n n - - pipe
      flags=Rq user=virtual argv=/usr/bin/procmail -t -m /etc/procmailrc
      ${sender} ${recipient}

      maildrop unix - n n - - pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
      uucp unix - n n - - pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
      ($recipient)
      ifmail unix - n n - - pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
      bsmtp unix - n n - - pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
      $recipient
      scalemail-backend unix - n n - 2 pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
      ${nexthop} ${user} ${extension}
      mailman unix - n n - - pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}
      amavis unix - - - - 2 smtp
      -o smtp_data_done_timeout=1200
      -o smtp_send_xforward_command=yes
      127.0.0.1:10025 inet n - - - - smtpd
      -o content_filter=
      -o local_recipient_maps=
      -o relay_recipient_maps=
      -o smtpd_restriction_classes=
      -o smtpd_client_restrictions=
      -o smtpd_helo_restrictions=
      -o smtpd_sender_restrictions=
      -o smtpd_recipient_restrictions=permit_mynetworks,reject
      -o strict_rfc821_envelopes=yes
      -o mynetworks=127.0.0.0/8
      -o smtpd_error_sleep_time=0
      -o smtpd_soft_error_limit=1001
      -o smtpd_hard_error_limit=1001

      pre-cleanup unix n - - - 0 cleanup
      -o virtual_alias_maps=
      -o canonical_maps=
      -o sender_canonical_maps=
      -o recipient_canonical_maps=
      -o masquerade_domains=



      postconf -n
      alias_database = hash:/etc/postfix/aliases
      alias_maps = hash:/etc/postfix/aliases
      append_dot_mydomain = no
      biff = no
      broken_sasl_auth_clients = yes
      config_directory = /etc/postfix
      content_filter = amavis:[127.0.0.1]:10024
      delay_warning_time = 4h
      disable_vrfy_command = yes
      inet_interfaces = all
      mailbox_size_limit = 0
      message_size_limit = 26214400
      mydestination =
      myhostname = <hostname>
      mynetworks = <various networks>
      myorigin = /etc/mailname
      recipient_delimiter = +
      relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
      relayhost =
      smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
      smtpd_banner = $myhostname ESMTP $mail_name
      smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client
      blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org, reject_rbl_client
      zen.spamhaus.org, reject_rbl_client relays.mail-abuse.org, reject_rbl_client
      whois.rfc-ignorant.org, reject_rbl_client nonconfirm.mail-abuse.org,
      reject_rbl_client dialups.mail-abuse.org, reject_rbl_client sc.surbl.org,
      reject_rbl_client ws.surbl.org, reject_rbl_client ob.surbl.org,
      reject_rbl_client ab.surbl.org, reject_rbl_client multi.surbl.org,
      reject_rbl_client black.uribl.com
      smtpd_data_restrictions = reject_unauth_pipelining
      smtpd_delay_reject = no
      smtpd_helo_required = yes
      smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit

      smtpd_recipient_restrictions = permit_sasl_authenticated,
      reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient,
      reject_unauth_destination, permit
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_local_domain =
      smtpd_sasl_path = smtpd
      smtpd_sasl_security_options = noanonymous
      smtpd_sender_restrictions = permit_sasl_authenticated,
      permit_mynetworks,reject_non_fqdn_sender, reject_unauth_pipelining,
      check_sender_access hash:/etc/postfix/spoofprotection, permit
      smtpd_timeout = 60s
      smtpd_tls_cert_file = /etc/apache2/ssl/somefile.crt
      smtpd_tls_key_file = /etc/apache2/ssl/somefile.key
      smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
      smtpd_use_tls = yes
      transport_maps = mysql:/etc/postfix/mysql_transport2.cf
      virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
      virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
      virtual_mailbox_base = /var/spool/mail/virtual
      virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
      virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
      virtual_transport = mysql:/etc/postfix/mysql_transport2.cf
      virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf

      TIA
      Nick
    • Mike Cappella
      ... A sample submission entry in master.cf: submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o
      Message 2 of 9 , Aug 3, 2009
      • 0 Attachment
        On 8/3/09 12:26 AM, Nick Sharp wrote:
        > Hi all,
        >
        > Since adding check_sender_access to stop our domain from emailing unauthed
        > from the outside and our Wireless Broadband now being in the
        > pbl.spamhaus.org list, we want to allow TLS/SASL Auth'd users to email from
        > their broadband cards and get them bypassing the rbl's, ie RBL checks on
        > port 25 without auth, no rbl checks on 587 but reject those not
        > authenticated.
        >
        > I thought I could just overwrite smtpd restrictions from main.cf with
        > additional rules in master.cf and get it working, but all combinations I
        > have tried have failed.

        A sample submission entry in master.cf:

        submission inet n - n - - smtpd
        -o smtpd_tls_security_level=encrypt
        -o smtpd_tls_auth_only=yes
        -o smtpd_sasl_auth_enable=yes
        -o broken_sasl_auth_clients=yes
        -o receive_override_options=no_header_body_checks,no_address_mappings
        -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
        -o content_filter=lmtp-amavis:[127.0.0.1]:10026

        The key is the smtpd_recipient_restrictions' permit_sasl_authenticated
        coming first or early. Thus, port 587 users who authenticate pass the
        green light.


        >
        > Do I have to move main.cf smtpd_(client|recipient|sender)_restrictions into
        > master.cf under smtp and then use the alternative restrictions under the
        > submission port? If so I wonder what else will loose restriction options.

        Tailor as you see fit for your users. The restrictions you'll add under
        submission overrides those in main.cf.

        >
        > I am pretty sure that I can whitelist their subnet, but I must be able to
        > bypass the rbl checks for any auth'ed user on port 587.

        Whitelisting == not so good.

        >
        > Any suggestions gratefully received.
        >
        > The error I seem to get if its not the rbl error;
        > Aug 3 15:39:14 mail1 postfix/smtpd[25528]: NOQUEUE: reject: CONNECT from
        > unknown[58.171.177.107]: 554 5.7.1<unknown[58.171.177.107]>: Client host
        > rejected: Access denied; proto=SMTP
      • Nick Sharp
        ... Just tried this configuration and moved client restrictions to master.cf under smtp; smtp inet n - - - 50 smtpd -o
        Message 3 of 9 , Aug 3, 2009
        • 0 Attachment
          >
          > A sample submission entry in master.cf:
          >
          > submission inet n - n - - smtpd
          > -o smtpd_tls_security_level=encrypt
          > -o smtpd_tls_auth_only=yes
          > -o smtpd_sasl_auth_enable=yes
          > -o broken_sasl_auth_clients=yes
          > -o
          > receive_override_options=no_header_body_checks,no_address_mappings
          > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
          > -o content_filter=lmtp-amavis:[127.0.0.1]:10026
          >
          > The key is the smtpd_recipient_restrictions' permit_sasl_authenticated
          > coming first or early. Thus, port 587 users who authenticate pass the
          > green light.
          >

          Just tried this configuration and moved client restrictions to master.cf
          under smtp;
          smtp inet n - - - 50 smtpd
          -o cleanup_service_name=pre-cleanup
          -o content_filter=procmail:filter
          -o smtpd_client_restrictions=$master_client_restrictions
          submission inet n - n - - smtpd
          -o smtpd_tls_security_level=encrypt
          -o smtpd_tls_auth_only=yes
          -o smtpd_sasl_auth_enable=yes
          -o broken_sasl_auth_clients=yes
          -o
          receive_override_options=no_header_body_checks,no_address_mappings
          -o
          smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

          main.cf changes;
          master_client_restrictions=permit_sasl_authenticated,permit_mynetworks
          reject_rbl_client blackholes.easynet.nl,
          <big list of rbls>

          #smtpd_client_restrictions =

          and I still get Client Host: Access denied in the logs from everywhere
          without permit_mynetworks in the submission smtpd_client_restrictions, that
          just makes it work from our networks, but not from the wireless broadband.

          So I am concluding that it is not acknowledging sasl_authentication for some
          reason? (I am now not seeing any rbl failed requests though.. probably since
          its not asked to check anymore.

          Any ideas? I am a little stumped, so any suggestions are welcomed with open
          arms (and 10 minutes to test them :)

          postconf -n
          alias_database = hash:/etc/postfix/aliases
          alias_maps = hash:/etc/postfix/aliases
          append_dot_mydomain = no
          biff = no
          broken_sasl_auth_clients = yes
          config_directory = /etc/postfix
          content_filter = amavis:[127.0.0.1]:10024
          delay_warning_time = 4h
          disable_vrfy_command = yes
          inet_interfaces = all
          mailbox_size_limit = 0
          message_size_limit = 26214400
          mydestination =
          myhostname = <hostname>
          mynetworks = <network>
          myorigin = /etc/mailname
          recipient_delimiter = +
          relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
          relayhost =
          smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
          smtpd_banner = $myhostname ESMTP $mail_name
          smtpd_data_restrictions = reject_unauth_pipelining
          smtpd_delay_reject = no
          smtpd_helo_required = yes
          smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
          smtpd_recipient_restrictions = permit_sasl_authenticated,
          reject_unauth_pipelining, permit_mynetworks,
          reject_non_fqdn_recipient, reject_unauth_destination,
          permit
          smtpd_sasl_auth_enable = yes
          smtpd_sasl_local_domain =
          smtpd_sasl_path = smtpd
          smtpd_sasl_security_options = noanonymous
          smtpd_sender_restrictions = permit_sasl_authenticated,
          permit_mynetworks, reject_non_fqdn_sender,
          reject_unauth_pipelining, check_sender_access
          hash:/etc/postfix/spoofprotection, permit
          smtpd_timeout = 60s
          smtpd_tls_cert_file = /etc/apache2/ssl/_.valex.com.au.crt
          smtpd_tls_key_file = /etc/apache2/ssl/valexnew.key
          smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
          smtpd_use_tls = yes
          transport_maps = mysql:/etc/postfix/mysql_transport2.cf
          virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
          virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
          virtual_mailbox_base = /var/spool/mail/virtual
          virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
          virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
          virtual_transport = mysql:/etc/postfix/mysql_transport2.cf
          virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf

          TIA
          Nick
        • Brian Evans - Postfix List
          ... With the number of restrictions you have, it is difficult to tell without a full, unaltered log entry. You may replace the user with user@example.com if
          Message 4 of 9 , Aug 3, 2009
          • 0 Attachment
            Nick Sharp wrote:
            >> A sample submission entry in master.cf:
            >>
            >> submission inet n - n - - smtpd
            >> -o smtpd_tls_security_level=encrypt
            >> -o smtpd_tls_auth_only=yes
            >> -o smtpd_sasl_auth_enable=yes
            >> -o broken_sasl_auth_clients=yes
            >> -o
            >> receive_override_options=no_header_body_checks,no_address_mappings
            >> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
            >> -o content_filter=lmtp-amavis:[127.0.0.1]:10026
            >>
            >> The key is the smtpd_recipient_restrictions' permit_sasl_authenticated
            >> coming first or early. Thus, port 587 users who authenticate pass the
            >> green light.
            >>
            >>
            >
            > Just tried this configuration and moved client restrictions to master.cf
            > under smtp;
            > smtp inet n - - - 50 smtpd
            > -o cleanup_service_name=pre-cleanup
            > -o content_filter=procmail:filter
            > -o smtpd_client_restrictions=$master_client_restrictions
            > submission inet n - n - - smtpd
            > -o smtpd_tls_security_level=encrypt
            > -o smtpd_tls_auth_only=yes
            > -o smtpd_sasl_auth_enable=yes
            > -o broken_sasl_auth_clients=yes
            > -o
            > receive_override_options=no_header_body_checks,no_address_mappings
            > -o
            > smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
            >
            > main.cf changes;
            > master_client_restrictions=permit_sasl_authenticated,permit_mynetworks
            > reject_rbl_client blackholes.easynet.nl,
            > <big list of rbls>
            >
            > #smtpd_client_restrictions =
            >
            > and I still get Client Host: Access denied in the logs from everywhere
            > without permit_mynetworks in the submission smtpd_client_restrictions, that
            > just makes it work from our networks, but not from the wireless broadband.
            >
            > So I am concluding that it is not acknowledging sasl_authentication for some
            > reason? (I am now not seeing any rbl failed requests though.. probably since
            > its not asked to check anymore.
            >
            > Any ideas? I am a little stumped, so any suggestions are welcomed with open
            > arms (and 10 minutes to test them :)
            >

            With the number of restrictions you have, it is difficult to tell
            without a full, unaltered log entry. You may replace the user with
            "user@..." if you like, but the rest is crucial to understand
            *which* action caused the reject.
          • Nick Sharp
            ... Sorry, was referring to the same log in my previous email, but didn t consider people may not always have that handy.. Aug 3 22:08:27 mail1
            Message 5 of 9 , Aug 3, 2009
            • 0 Attachment
              > -----Original Message-----
              > From: owner-postfix-users@... [mailto:owner-postfix-
              > users@...] On Behalf Of Brian Evans - Postfix List
              > Sent: Monday, August 03, 2009 11:35 PM
              > To: Postfix users
              > Subject: Re: allow sasl authenticated on submission port and bypass rbl
              >
              > Nick Sharp wrote:
              > >> A sample submission entry in master.cf:
              > >>
              > >> submission inet n - n - - smtpd
              > >> -o smtpd_tls_security_level=encrypt
              > >> -o smtpd_tls_auth_only=yes
              > >> -o smtpd_sasl_auth_enable=yes
              > >> -o broken_sasl_auth_clients=yes
              > >> -o
              > >> receive_override_options=no_header_body_checks,no_address_mappings
              > >> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
              > >> -o content_filter=lmtp-amavis:[127.0.0.1]:10026
              > >>
              > >> The key is the smtpd_recipient_restrictions'
              > permit_sasl_authenticated
              > >> coming first or early. Thus, port 587 users who authenticate pass
              > the
              > >> green light.
              > >>
              > >>
              > >
              > > Just tried this configuration and moved client restrictions to
              > master.cf
              > > under smtp;
              > > smtp inet n - - - 50 smtpd
              > > -o cleanup_service_name=pre-cleanup
              > > -o content_filter=procmail:filter
              > > -o smtpd_client_restrictions=$master_client_restrictions
              > > submission inet n - n - - smtpd
              > > -o smtpd_tls_security_level=encrypt
              > > -o smtpd_tls_auth_only=yes
              > > -o smtpd_sasl_auth_enable=yes
              > > -o broken_sasl_auth_clients=yes
              > > -o
              > > receive_override_options=no_header_body_checks,no_address_mappings
              > > -o
              > >
              > smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,r
              > eject
              > >
              > > main.cf changes;
              > >
              > master_client_restrictions=permit_sasl_authenticated,permit_mynetworks
              > > reject_rbl_client blackholes.easynet.nl,
              > > <big list of rbls>
              > >
              > > #smtpd_client_restrictions =
              > >
              > > and I still get Client Host: Access denied in the logs from
              > everywhere
              > > without permit_mynetworks in the submission
              > smtpd_client_restrictions, that
              > > just makes it work from our networks, but not from the wireless
              > broadband.
              > >
              > > So I am concluding that it is not acknowledging sasl_authentication
              > for some
              > > reason? (I am now not seeing any rbl failed requests though..
              > probably since
              > > its not asked to check anymore.
              > >
              > > Any ideas? I am a little stumped, so any suggestions are welcomed
              > with open
              > > arms (and 10 minutes to test them :)
              > >
              >
              > With the number of restrictions you have, it is difficult to tell
              > without a full, unaltered log entry. You may replace the user with
              > "user@..." if you like, but the rest is crucial to understand
              > *which* action caused the reject.

              Sorry, was referring to the same log in my previous email, but didn't
              consider people may not always have that handy..

              Aug 3 22:08:27 mail1 postfix/smtpd[25798]: NOQUEUE: reject: CONNECT from
              unknown[58.171.194.208]: 554 5.7.1 <unknown[58.171.194.208]>: Client host
              rejected: Access denied; proto=SMTP
            • Brian Evans - Postfix List
              ... This transaction did not have a SASL auth that was successful. Therefore, any permit_sasl_authenticated will not work. All log entries where SASL is
              Message 6 of 9 , Aug 3, 2009
              • 0 Attachment
                Nick Sharp wrote:
                > Sorry, was referring to the same log in my previous email, but didn't
                > consider people may not always have that handy..
                >
                > Aug 3 22:08:27 mail1 postfix/smtpd[25798]: NOQUEUE: reject: CONNECT from
                > unknown[58.171.194.208]: 554 5.7.1 <unknown[58.171.194.208]>: Client host
                > rejected: Access denied; proto=SMTP
                >

                This transaction did not have a SASL auth that was successful.
                Therefore, any permit_sasl_authenticated will not work.

                All log entries where SASL is successful, in smtpd, will have
                "sasl_username=" and "sasl_method=" defined
              • Nick Sharp
                ... Ok, with smtpd_tls_security_level=encrypt as recommended, AUTH wasn t offered and therefore wouldn t match permit_sasl_authenticated. I got that going by
                Message 7 of 9 , Aug 3, 2009
                • 0 Attachment
                  > -----Original Message-----
                  > From: owner-postfix-users@... [mailto:owner-postfix-
                  > users@...] On Behalf Of Brian Evans - Postfix List
                  > Sent: Tuesday, August 04, 2009 12:30 AM
                  > To: Postfix users
                  > Subject: Re: allow sasl authenticated on submission port and bypass rbl
                  >
                  > Nick Sharp wrote:
                  > > Sorry, was referring to the same log in my previous email, but didn't
                  > > consider people may not always have that handy..
                  > >
                  > > Aug 3 22:08:27 mail1 postfix/smtpd[25798]: NOQUEUE: reject: CONNECT
                  > from
                  > > unknown[58.171.194.208]: 554 5.7.1 <unknown[58.171.194.208]>: Client
                  > host
                  > > rejected: Access denied; proto=SMTP
                  > >
                  >
                  > This transaction did not have a SASL auth that was successful.
                  > Therefore, any permit_sasl_authenticated will not work.
                  >
                  > All log entries where SASL is successful, in smtpd, will have
                  > "sasl_username=" and "sasl_method=" defined
                  >

                  Ok, with smtpd_tls_security_level=encrypt as recommended, AUTH wasn't
                  offered and therefore wouldn't match permit_sasl_authenticated. I got that
                  going by changing encrypt to may and it now shows when I telnet..

                  250-PIPELINING
                  250-SIZE 26214400
                  250-ETRN
                  250-STARTTLS
                  250-AUTH DIGEST-MD5 CRAM-MD5
                  250-AUTH=DIGEST-MD5 CRAM-MD5
                  250-ENHANCEDSTATUSCODES
                  250-8BITMIME
                  250 DSN

                  Now if I have -o
                  smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
                  in the submission bit in master.cf, the connect immediately rejects unless
                  matching mynetworks, still not giving a chance to do SASL..

                  Any ideas why this would be?

                  The nearest I can get is accept email to my domains with TLS, with or
                  without AUTH, or block you from even negotiating AUTH? There is no middle
                  ground it seems (or more I am missing it! :)

                  TIA
                  Nick
                • Brian Evans - Postfix List
                  ... This is because you changed smtpd_delay_reject = no from it s default to Yes. The client is not given a chance to AUTH with this setting.
                  Message 8 of 9 , Aug 3, 2009
                  • 0 Attachment
                    Nick Sharp wrote:
                    >> -----Original Message-----
                    >> From: owner-postfix-users@... [mailto:owner-postfix-
                    >> users@...] On Behalf Of Brian Evans - Postfix List
                    >> Sent: Tuesday, August 04, 2009 12:30 AM
                    >> To: Postfix users
                    >> Subject: Re: allow sasl authenticated on submission port and bypass rbl
                    >>
                    >> Nick Sharp wrote:
                    >>
                    >>> Sorry, was referring to the same log in my previous email, but didn't
                    >>> consider people may not always have that handy..
                    >>>
                    >>> Aug 3 22:08:27 mail1 postfix/smtpd[25798]: NOQUEUE: reject: CONNECT
                    >>>
                    >> from
                    >>
                    >>> unknown[58.171.194.208]: 554 5.7.1 <unknown[58.171.194.208]>: Client
                    >>>
                    >> host
                    >>
                    >>> rejected: Access denied; proto=SMTP
                    >>>
                    >>>
                    >> This transaction did not have a SASL auth that was successful.
                    >> Therefore, any permit_sasl_authenticated will not work.
                    >>
                    >> All log entries where SASL is successful, in smtpd, will have
                    >> "sasl_username=" and "sasl_method=" defined
                    >>
                    >>
                    >
                    > Ok, with smtpd_tls_security_level=encrypt as recommended, AUTH wasn't
                    > offered and therefore wouldn't match permit_sasl_authenticated. I got that
                    > going by changing encrypt to may and it now shows when I telnet..
                    >
                    > 250-PIPELINING
                    > 250-SIZE 26214400
                    > 250-ETRN
                    > 250-STARTTLS
                    > 250-AUTH DIGEST-MD5 CRAM-MD5
                    > 250-AUTH=DIGEST-MD5 CRAM-MD5
                    > 250-ENHANCEDSTATUSCODES
                    > 250-8BITMIME
                    > 250 DSN
                    >
                    > Now if I have -o
                    > smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
                    > in the submission bit in master.cf, the connect immediately rejects unless
                    > matching mynetworks, still not giving a chance to do SASL..
                    >
                    > Any ideas why this would be?
                    >
                    > The nearest I can get is accept email to my domains with TLS, with or
                    > without AUTH, or block you from even negotiating AUTH? There is no middle
                    > ground it seems (or more I am missing it! :)
                    >
                    This is because you changed "smtpd_delay_reject = no" from it's default
                    to Yes.
                    The client is not given a chance to AUTH with this setting.
                  • Nick Sharp
                    ... Ahh Thats he middle ground I was looking for! Thanks all for your help. To summarise, this submission config brought on the majic; submission inet n
                    Message 9 of 9 , Aug 3, 2009
                    • 0 Attachment
                      > >>
                      > >> Nick Sharp wrote:
                      > smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,r
                      > eject
                      > > in the submission bit in master.cf, the connect immediately rejects
                      > unless
                      > > matching mynetworks, still not giving a chance to do SASL..
                      > >
                      > > Any ideas why this would be?
                      > >
                      > > The nearest I can get is accept email to my domains with TLS, with or
                      > > without AUTH, or block you from even negotiating AUTH? There is no
                      > middle
                      > > ground it seems (or more I am missing it! :)
                      > >
                      > This is because you changed "smtpd_delay_reject = no" from it's default
                      > to Yes.
                      > The client is not given a chance to AUTH with this setting.

                      Ahh Thats he middle ground I was looking for!

                      Thanks all for your help.

                      To summarise, this submission config brought on the majic;

                      submission inet n - n - - smtpd
                      -o smtpd_tls_security_level=may
                      -o smtpd_sasl_auth_enable=yes
                      -o smtp_enforce_tls=yes
                      -o smtp_tls_enforce_peername=yes
                      -o broken_sasl_auth_clients=yes
                      -o
                      receive_override_options=no_header_body_checks,no_address_mappings
                      -o
                      smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
                      -o smtpd_sasl_security_options=noanonymous,noplaintext
                      -o smtpd_sasl_tls_security_options=noanonymous

                      Nick
                    Your message has been successfully submitted and would be delivered to recipients shortly.