Loading ...
Sorry, an error occurred while loading the content.

Re: Postfix + stunnel SMTPS = address rewriting issue

Expand Messages
  • Jack Browning
    ... Perhaps there was a misunderstanding because of my description of the issue. To connect to the ATT/U-verse SMTP server, I am using a variant of the
    Message 1 of 7 , Jun 1, 2010
    • 0 Attachment
      On Fri, May 28, 2010 at 1:27 PM, Wietse Venema <wietse@...> wrote:
      > Jack Browning:
      >> I'm curious as to why the generic map isn't working for mail sent to
      >> the relayhost.
      >
      > Generic mapping is implemented in the Postfix SMTP client, so you
      > need to configure the Postfix SMTP client appropriately.  Setting
      > the generic mapping on other Postfix programs has no effect.

      Perhaps there was a misunderstanding because of my description of the issue.

      To connect to the ATT/U-verse SMTP server, I am using a variant of the
      configuration described at:

      http://www.postfix.org/TLS_README.html#client_smtps

      The only differences in my stunnel.conf and the stunnel.conf in the
      README are nominal, to wit:

      root@dell:/etc/init.d# cat /etc/stunnel/stunnel.conf
      client = yes
      foreground = no

      [att-smtps]
      accept = 2525
      connect = smtp.att.yahoo.com:smtps

      My main.cf looks like this:

      root@dell:/etc/postfix# postconf -n
      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      append_dot_mydomain = yes
      biff = no
      config_directory = /etc/postfix
      home_mailbox = Maildir/
      inet_interfaces = all
      inet_protocols = all
      mailbox_size_limit = 104857600
      message_size_limit = 52428800
      mydestination = dell.jnjroos.net, localhost.jnjroos.net, localhost, jnjroos.net
      myhostname = dell.jnjroos.net
      mynetworks = 127.0.0.0/8, 192.168.0.0/24
      myorigin = /etc/mailname
      queue_minfree = 78643200
      relayhost = [localhost]:2525
      smtp_generic_maps = hash:/etc/postfix/generic
      smtp_sasl_auth_enable = yes
      smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
      smtp_sasl_security_options = noanonymous
      smtp_sender_dependent_authentication = yes
      smtp_use_tls = no
      smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

      Note the relayhost specification, which, again, only differs nominally
      from the configuration stated in the README. Note, too, the
      specification of smtp_sasl_password_maps, which implements the
      sender-based authentication the remote server requires. Finally, note
      the specification of smtp_generic_maps, which I had hoped would
      rewrite the sender address for outgoing mail being delivered to the
      relayhost. "jnjroos.net" is, of course, a fantasy name for my local
      network.

      As I stated in my original post, everything works as it should when
      the local e-mail clients (Windows Live Mail and Sylpheed) are
      configured with the user's ATT e-mail address as the From address.
      Here is a redacted log excerpt for outgoing mail when the local
      clients are configured that way:

      Jun 1 13:42:28 dell postfix/smtpd[16260]: connect from
      asus.jnjroos.net[192.168.0.4]
      Jun 1 13:42:28 dell postfix/smtpd[16260]: 6E5C71C157:
      client=asus.jnjroos.net[192.168.0.4]
      Jun 1 13:42:28 dell postfix/cleanup[16263]: 6E5C71C157:
      message-id=<20100601134228.d563162f.xxxxxx@...>
      Jun 1 13:42:28 dell postfix/qmgr[16015]: 6E5C71C157:
      from=<xxxxxx@...>, size=828, nrcpt=1 (queue active)
      Jun 1 13:42:28 dell postfix/smtpd[16260]: disconnect from
      asus.jnjroos.net[192.168.0.4]
      Jun 1 13:42:29 dell postfix/smtp[16264]: 6E5C71C157:
      to=<yyyyyy@...>, relay=127.0.0.1[127.0.0.1]:2525, delay=1.3,
      delays=0.06/0/1/0.22, dsn=2.0.0, status=sent (250 OK , completed)
      Jun 1 13:42:29 dell postfix/qmgr[16015]: 6E5C71C157: removed

      As you can see, everything (including sender-based authentication)
      works, and the delivery to the remote host (via Postfix's SMTP client)
      is successful.

      Now, when I change the From address in the local e-mail clients to the
      user's local e-mail address, i.e., from xxxxxx@... to
      zzzzzz@..., this is what happens:

      Jun 1 14:17:24 dell postfix/smtpd[16469]: connect from
      asus.jnjroos.net[192.168.0.4]
      Jun 1 14:17:24 dell postfix/smtpd[16469]: B01C11C157:
      client=asus.jnjroos.net[192.168.0.4]
      Jun 1 14:17:24 dell postfix/cleanup[16472]: B01C11C157:
      message-id=<20100601141724.a4213911.zzzzzz@...>
      Jun 1 14:17:24 dell postfix/qmgr[16317]: B01C11C157:
      from=<zzzzzz@...>, size=850, nrcpt=1 (queue active)
      Jun 1 14:17:24 dell postfix/smtpd[16469]: disconnect from
      asus.jnjroos.net[192.168.0.4]
      Jun 1 14:17:25 dell postfix/smtp[16473]: B01C11C157:
      to=<yyyyyy@...>, relay=localhost[127.0.0.1]:2525, delay=0.28,
      delays=0.05/0.01/0.18/0.04, dsn=5.0.0, status=bounced (host
      localhost[127.0.0.1] said: 530 authentication required - for help go
      to http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html (in reply to
      MAIL FROM command))
      Jun 1 14:17:25 dell postfix/cleanup[16472]: 2144A1C297:
      message-id=<20100601191725.2144A1C297@...>
      Jun 1 14:17:25 dell postfix/bounce[16475]: B01C11C157: sender
      non-delivery notification: 2144A1C297
      Jun 1 14:17:25 dell postfix/qmgr[16317]: 2144A1C297: from=<>,
      size=2825, nrcpt=1 (queue active)
      Jun 1 14:17:25 dell postfix/qmgr[16317]: B01C11C157: removed
      Jun 1 14:17:25 dell postfix/local[16476]: 2144A1C297:
      to=<zzzzzz@...>, relay=local, delay=0.02,
      delays=0.01/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
      Jun 1 14:17:25 dell postfix/qmgr[16317]: 2144A1C297: removed

      No address rewriting is occurring even though Postfix is invoking its
      SMTP client to deliver the mail to the remote host, and my generic map
      (after postmap and a reload) contains an entry like this:

      zzzzzz@... xxxxxx@...

      I suspect that because the sender address is not being rewritten by
      the generic map the password lookup is also failing, so that a non-ATT
      sender address *and* garbage credentials are being sent to the remote
      server.

      I find this behavior quite perplexing, because generic mapping has
      worked flawlessly for me in the past, when my relayhost parameter
      pointed to an actual SMTP server with an Internet (as opposed to
      local) network address. The only difference this time around seems to
      be specifying the local endpoint of the stunnel connection as the
      relayhost.

      This the first time I've had to use sender-based authentication, so I
      have no experience with how it should be interacting with address
      rewriting.

      I hope this clarifies the issue I am facing. Again, I am using Postfix
      2.5.1 on Ubuntu 8.04 x64 LTS.

      TIA,
      JEB
    • Noel Jones
      ... Add a password map entry for the local unwritten address.
      Message 2 of 7 , Jun 1, 2010
      • 0 Attachment
        On 6/1/2010 3:08 PM, Jack Browning wrote:
        > On Fri, May 28, 2010 at 1:27 PM, Wietse Venema<wietse@...> wrote:
        >> Jack Browning:
        >>> I'm curious as to why the generic map isn't working for mail sent to
        >>> the relayhost.
        >>
        >> Generic mapping is implemented in the Postfix SMTP client, so you
        >> need to configure the Postfix SMTP client appropriately. Setting
        >> the generic mapping on other Postfix programs has no effect.
        >
        > Perhaps there was a misunderstanding because of my description of the issue.
        >
        > To connect to the ATT/U-verse SMTP server, I am using a variant of the
        > configuration described at:
        >
        > http://www.postfix.org/TLS_README.html#client_smtps
        >
        > The only differences in my stunnel.conf and the stunnel.conf in the
        > README are nominal, to wit:
        >
        > root@dell:/etc/init.d# cat /etc/stunnel/stunnel.conf
        > client = yes
        > foreground = no
        >
        > [att-smtps]
        > accept = 2525
        > connect = smtp.att.yahoo.com:smtps
        >
        > My main.cf looks like this:
        >
        > root@dell:/etc/postfix# postconf -n
        > alias_database = hash:/etc/aliases
        > alias_maps = hash:/etc/aliases
        > append_dot_mydomain = yes
        > biff = no
        > config_directory = /etc/postfix
        > home_mailbox = Maildir/
        > inet_interfaces = all
        > inet_protocols = all
        > mailbox_size_limit = 104857600
        > message_size_limit = 52428800
        > mydestination = dell.jnjroos.net, localhost.jnjroos.net, localhost, jnjroos.net
        > myhostname = dell.jnjroos.net
        > mynetworks = 127.0.0.0/8, 192.168.0.0/24
        > myorigin = /etc/mailname
        > queue_minfree = 78643200
        > relayhost = [localhost]:2525
        > smtp_generic_maps = hash:/etc/postfix/generic
        > smtp_sasl_auth_enable = yes
        > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
        > smtp_sasl_security_options = noanonymous
        > smtp_sender_dependent_authentication = yes
        > smtp_use_tls = no
        > smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
        >
        > Note the relayhost specification, which, again, only differs nominally
        > from the configuration stated in the README. Note, too, the
        > specification of smtp_sasl_password_maps, which implements the
        > sender-based authentication the remote server requires. Finally, note
        > the specification of smtp_generic_maps, which I had hoped would
        > rewrite the sender address for outgoing mail being delivered to the
        > relayhost. "jnjroos.net" is, of course, a fantasy name for my local
        > network.
        >
        > As I stated in my original post, everything works as it should when
        > the local e-mail clients (Windows Live Mail and Sylpheed) are
        > configured with the user's ATT e-mail address as the From address.
        > Here is a redacted log excerpt for outgoing mail when the local
        > clients are configured that way:
        >
        > Jun 1 13:42:28 dell postfix/smtpd[16260]: connect from
        > asus.jnjroos.net[192.168.0.4]
        > Jun 1 13:42:28 dell postfix/smtpd[16260]: 6E5C71C157:
        > client=asus.jnjroos.net[192.168.0.4]
        > Jun 1 13:42:28 dell postfix/cleanup[16263]: 6E5C71C157:
        > message-id=<20100601134228.d563162f.xxxxxx@...>
        > Jun 1 13:42:28 dell postfix/qmgr[16015]: 6E5C71C157:
        > from=<xxxxxx@...>, size=828, nrcpt=1 (queue active)
        > Jun 1 13:42:28 dell postfix/smtpd[16260]: disconnect from
        > asus.jnjroos.net[192.168.0.4]
        > Jun 1 13:42:29 dell postfix/smtp[16264]: 6E5C71C157:
        > to=<yyyyyy@...>, relay=127.0.0.1[127.0.0.1]:2525, delay=1.3,
        > delays=0.06/0/1/0.22, dsn=2.0.0, status=sent (250 OK , completed)
        > Jun 1 13:42:29 dell postfix/qmgr[16015]: 6E5C71C157: removed
        >
        > As you can see, everything (including sender-based authentication)
        > works, and the delivery to the remote host (via Postfix's SMTP client)
        > is successful.
        >
        > Now, when I change the From address in the local e-mail clients to the
        > user's local e-mail address, i.e., from xxxxxx@... to
        > zzzzzz@..., this is what happens:
        >
        > Jun 1 14:17:24 dell postfix/smtpd[16469]: connect from
        > asus.jnjroos.net[192.168.0.4]
        > Jun 1 14:17:24 dell postfix/smtpd[16469]: B01C11C157:
        > client=asus.jnjroos.net[192.168.0.4]
        > Jun 1 14:17:24 dell postfix/cleanup[16472]: B01C11C157:
        > message-id=<20100601141724.a4213911.zzzzzz@...>
        > Jun 1 14:17:24 dell postfix/qmgr[16317]: B01C11C157:
        > from=<zzzzzz@...>, size=850, nrcpt=1 (queue active)
        > Jun 1 14:17:24 dell postfix/smtpd[16469]: disconnect from
        > asus.jnjroos.net[192.168.0.4]
        > Jun 1 14:17:25 dell postfix/smtp[16473]: B01C11C157:
        > to=<yyyyyy@...>, relay=localhost[127.0.0.1]:2525, delay=0.28,
        > delays=0.05/0.01/0.18/0.04, dsn=5.0.0, status=bounced (host
        > localhost[127.0.0.1] said: 530 authentication required - for help go
        > to http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html (in reply to
        > MAIL FROM command))
        > Jun 1 14:17:25 dell postfix/cleanup[16472]: 2144A1C297:
        > message-id=<20100601191725.2144A1C297@...>
        > Jun 1 14:17:25 dell postfix/bounce[16475]: B01C11C157: sender
        > non-delivery notification: 2144A1C297
        > Jun 1 14:17:25 dell postfix/qmgr[16317]: 2144A1C297: from=<>,
        > size=2825, nrcpt=1 (queue active)
        > Jun 1 14:17:25 dell postfix/qmgr[16317]: B01C11C157: removed
        > Jun 1 14:17:25 dell postfix/local[16476]: 2144A1C297:
        > to=<zzzzzz@...>, relay=local, delay=0.02,
        > delays=0.01/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
        > Jun 1 14:17:25 dell postfix/qmgr[16317]: 2144A1C297: removed
        >
        > No address rewriting is occurring even though Postfix is invoking its
        > SMTP client to deliver the mail to the remote host, and my generic map
        > (after postmap and a reload) contains an entry like this:
        >
        > zzzzzz@... xxxxxx@...
        >
        > I suspect that because the sender address is not being rewritten by
        > the generic map the password lookup is also failing, so that a non-ATT
        > sender address *and* garbage credentials are being sent to the remote
        > server.
        >
        > I find this behavior quite perplexing, because generic mapping has
        > worked flawlessly for me in the past, when my relayhost parameter
        > pointed to an actual SMTP server with an Internet (as opposed to
        > local) network address. The only difference this time around seems to
        > be specifying the local endpoint of the stunnel connection as the
        > relayhost.
        >
        > This the first time I've had to use sender-based authentication, so I
        > have no experience with how it should be interacting with address
        > rewriting.
        >
        > I hope this clarifies the issue I am facing. Again, I am using Postfix
        > 2.5.1 on Ubuntu 8.04 x64 LTS.
        >
        > TIA,
        > JEB


        Add a password map entry for the local unwritten address.
      • Jack Browning
        ... Wow. That s all it took. Case closed. I will try and decipher why that worked off-list. Thanks, man. JEB
        Message 3 of 7 , Jun 1, 2010
        • 0 Attachment
          On Tue, Jun 1, 2010 at 3:16 PM, Noel Jones <njones@...> wrote:

          > Add a password map entry for the local unwritten address.

          Wow. That's all it took. Case closed.

          I will try and decipher why that worked off-list.

          Thanks, man.

          JEB
        • Jack Browning
          ... Live and learn. Since the fix suggested earlier in this thread -- keying the remote username:password entries to the users local addresses -- produces the
          Message 4 of 7 , Jun 1, 2010
          • 0 Attachment
            On Tue, Jun 1, 2010 at 6:17 PM, Wietse Venema <wietse@...> wrote:
            > Jack Browning:

            >> No address rewriting is occurring even though Postfix is invoking its
            >> SMTP client to deliver the mail to the remote host, and my generic map
            >> (after postmap and a reload) contains an entry like this:
            >>
            >> zzzzzz@...    xxxxxx@...
            >
            > Sorry this is very incorrect.
            >
            > The from= line, logged by the queue manager, is not subject to SMTP
            > generic mapping. It never was, and it never will.
            >
            > SMTP generic mapping is implemented in the Postfix SMTP client.
            > This mapping is done only for information that is sent over the
            > network.  This also explains why:
            >
            > 1) SMTP generic mapping has no effect on SASL password lookup.  It
            > never did, and it never will.
            >
            > 2) SMTP generic mapping does not change with the destination host.
            > It never did, and it never will.
            >
            >        Wietse

            Live and learn. Since the fix suggested earlier in this thread --
            keying the remote username:password entries to the users' local
            addresses -- produces the desired result, the issue didn't involve
            generic mapping at all. No generic mapping was done until the message
            was actually sent to the remote server, and the message was not being
            sent because the mis-keyed password lookup table resulted in bad (or
            no) credentials being presented to the remote server, which rejected
            the authentication attempt and terminated the session before the
            message itself was transmitted. No transmission = no rewriting.

            Anyway, that's my story, and I'm sticking to it.

            JEB
          • Wietse Venema
            ... Are you sticking with your subject line Postfix + stunnel SMTPS = address rewriting issue ? All I have seen sofar is that sender-dependent SASL password
            Message 5 of 7 , Jun 2, 2010
            • 0 Attachment
              Jack Browning:
              > Live and learn. Since the fix suggested earlier in this thread --
              > keying the remote username:password entries to the users' local
              > addresses -- produces the desired result, the issue didn't involve
              > generic mapping at all. No generic mapping was done until the message
              > was actually sent to the remote server, and the message was not being
              > sent because the mis-keyed password lookup table resulted in bad (or
              > no) credentials being presented to the remote server, which rejected
              > the authentication attempt and terminated the session before the
              > message itself was transmitted. No transmission = no rewriting.
              >
              > Anyway, that's my story, and I'm sticking to it.

              Are you sticking with your subject line "Postfix + stunnel SMTPS
              = address rewriting issue"? All I have seen sofar is that
              sender-dependent SASL password lookups are working as promised.

              Wietse
            Your message has been successfully submitted and would be delivered to recipients shortly.