Loading ...
Sorry, an error occurred while loading the content.

Re: Enabling sender-dependent authentication only for fallback relay?

Expand Messages
  • Rich Wales
    ... That idea doesn t appear to work -- the separate SMTP service considered the mail passed to it by the main Postfix instance to be unauthenticated (because
    Message 1 of 10 , May 2, 2011
    • 0 Attachment
      Earlier, I wrote:

      > I'm starting to ponder the idea of setting up a separate service in
      > my master.cf file -- similar to the standard "smtp" service, but with
      > a few parameters overridden -- and define that separate service as
      > my smtp_fallback_relay, and have the separate service use my *real*
      > fallback relay as its relay host, and enable sender-dependent
      > authentication in the separate service instead of in my standard
      > SMTP service. But I realize that would be a messy kludge, and I'd
      > prefer not to do it this way except as a last resort.

      That idea doesn't appear to work -- the separate SMTP service considered
      the mail passed to it by the main Postfix instance to be unauthenticated
      (because it wasn't coming directly from my user agent?) and insisted it
      wouldn't act as an open relay.

      I tried the option smtpd_recipient_restrictions= in the separate SMTP
      service, but that didn't work -- Postfix demands that this parameter must
      contain at least one working instance of reject_unauth_destination, reject,
      defer, or defer_if_permit -- i.e., it looks like it simply will not allow
      itself to be configured as an open relay, period, even if I'm sure I know
      what I'm doing.

      And there doesn't seem to be any way for me to use my web hosting service
      (Bluehost) as my fallback without doing sender-dependent authentication;
      their tech support's suggestion that I try using my master domain account
      cPanel login info as a site-wide, sender-independent authentication did
      not work.

      So I appear to be stuck -- I can't avoid the situation (as I described in
      my e-mail from last night; see details there) where a random destination
      MX is deciding to ask me for authentication, and it understandably doesn't
      like my sender-dependent authentication info intended only for my fallback
      relay, and I can't selectively give out or withhold my authentication info
      because sender-dependent authentication cares *only* about the sender and
      apparently can't be told to care about the identity of the destination host.

      Any suggestions would be welcome.

      Rich Wales
      richw@...
    • Wietse Venema
      ... There is a lot of did not work without concrete detail: actual configuration, actual error responses. See my response in a recent thread:
      Message 2 of 10 , May 2, 2011
      • 0 Attachment
        Rich Wales:
        > Earlier, I wrote:
        >
        > > I'm starting to ponder the idea of setting up a separate service in
        > > my master.cf file -- similar to the standard "smtp" service, but with
        > > a few parameters overridden -- and define that separate service as
        > > my smtp_fallback_relay, and have the separate service use my *real*
        > > fallback relay as its relay host, and enable sender-dependent
        > > authentication in the separate service instead of in my standard
        > > SMTP service. But I realize that would be a messy kludge, and I'd
        > > prefer not to do it this way except as a last resort.
        >
        > That idea doesn't appear to work -- the separate SMTP service considered
        > the mail passed to it by the main Postfix instance to be unauthenticated
        > (because it wasn't coming directly from my user agent?) and insisted it
        > wouldn't act as an open relay.
        >
        > I tried the option smtpd_recipient_restrictions= in the separate SMTP
        > service, but that didn't work -- Postfix demands that this parameter must
        > contain at least one working instance of reject_unauth_destination, reject,
        > defer, or defer_if_permit -- i.e., it looks like it simply will not allow
        > itself to be configured as an open relay, period, even if I'm sure I know
        > what I'm doing.
        >
        > And there doesn't seem to be any way for me to use my web hosting service
        > (Bluehost) as my fallback without doing sender-dependent authentication;
        > their tech support's suggestion that I try using my master domain account
        > cPanel login info as a site-wide, sender-independent authentication did
        > not work.
        >
        > So I appear to be stuck -- I can't avoid the situation (as I described in
        > my e-mail from last night; see details there) where a random destination
        > MX is deciding to ask me for authentication, and it understandably doesn't
        > like my sender-dependent authentication info intended only for my fallback
        > relay, and I can't selectively give out or withhold my authentication info
        > because sender-dependent authentication cares *only* about the sender and
        > apparently can't be told to care about the identity of the destination host.
        >
        > Any suggestions would be welcome.

        There is a lot of "did not work" without concrete detail:
        actual configuration, actual error responses.

        See my response in a recent thread:
        http://archives.neohapsis.com/archives/postfix/2011-05/0020.html

        Wietse
      • Victor Duchovni
        ... You have to use a fallback relay setting that sends the mail to a second Postfix instance on your machine, and have that instance send all mail to the
        Message 3 of 10 , May 2, 2011
        • 0 Attachment
          On Sun, May 01, 2011 at 09:46:51PM -0700, Rich Wales wrote:

          > [Short version of my question: Is there any way to enable sender-
          > dependent authentication *only* when mail is being sent out via my
          > smtp_fallback_relay host, and *not* when I am sending mail directly
          > to a destination MX? I do not have any "relayhost" defined because
          > I am trying to send mail directly to a destination.]

          You have to use a fallback relay setting that sends the mail to a second
          Postfix instance on your machine, and have that instance send all mail
          to the relay, with sender-dependent authentication.

          smtp_fallback_relay=[127.0.0.1]:10035

          This would be a full Postfix instance, not just another master.cf entry:

          http://www.postfix.org/MULTI_INSTANCE_README.html

          --
          Viktor.
        • Rich Wales
          ... With all possible respect, Wietse, I believe I already provided ample concrete detail in my original message from last night. If you would prefer to
          Message 4 of 10 , May 2, 2011
          • 0 Attachment
            > There is a lot of "did not work" without concrete detail: actual
            > configuration, actual error responses. See my response in a recent
            > thread: . . .

            With all possible respect, Wietse, I believe I already provided ample
            concrete detail in my original message from last night. If you would
            prefer to simply ignore my second message (in which I tried to say
            that a possible workaround I had considered doesn't seem to work) and
            consider only my original message (perhaps ignoring the paragraph near
            the end starting with "I'm starting to ponder"), I won't object.

            Rich Wales
            richw@...
          • Rich Wales
            ... Thanks, Victor. A followup question, if I may. Briefly, can you help me understand what is going on in a situation like mine that will require the use of
            Message 5 of 10 , May 2, 2011
            • 0 Attachment
              > You have to use a fallback relay setting that sends the mail to a second
              > Postfix instance on your machine, and have that instance send all mail
              > to the relay, with sender-dependent authentication. This would be a full
              > Postfix instance, not just another master.cf entry:

              Thanks, Victor.

              A followup question, if I may. Briefly, can you help me understand what is
              going on in a situation like mine that will require the use of a second,
              completely separate Postfix instance (and precludes doing what I want to do
              in a separate master.cf entry)?

              Rich Wales
              richw@...
            • Victor Duchovni
              ... The mail must be handled by a second separately configured smtp(8) delivery agent, and therefore, must be placed in a separate queue, which requires a
              Message 6 of 10 , May 2, 2011
              • 0 Attachment
                On Mon, May 02, 2011 at 02:00:52PM -0700, Rich Wales wrote:

                > > You have to use a fallback relay setting that sends the mail to a second
                > > Postfix instance on your machine, and have that instance send all mail
                > > to the relay, with sender-dependent authentication. This would be a full
                > > Postfix instance, not just another master.cf entry:
                >
                > Thanks, Victor.
                >
                > A followup question, if I may. Briefly, can you help me understand what is
                > going on in a situation like mine that will require the use of a second,
                > completely separate Postfix instance (and precludes doing what I want to do
                > in a separate master.cf entry)?

                The mail must be handled by a second separately configured smtp(8) delivery
                agent, and therefore, must be placed in a separate queue, which requires
                a separate instance.

                If the message were handed off to the same queue-manager it would loop.

                --
                Viktor.
              • Rich Wales
                ... Ah. And, not surprisingly, when I tried to solve my problem using an alternative smtp in my master.cf, it did precisely that -- the second smtp threw the
                Message 7 of 10 , May 2, 2011
                • 0 Attachment
                  > The mail must be handled by a second separately configured smtp(8)
                  > delivery agent, and therefore, must be placed in a separate queue,
                  > which requires a separate instance. If the message were handed off
                  > to the same queue-manager it would loop.

                  Ah. And, not surprisingly, when I tried to solve my problem using an
                  alternative smtp in my master.cf, it did precisely that -- the second
                  smtp threw the message back into the queue, and my one-and-only Postfix
                  dutifully pulled it out of the queue and processed it all over again
                  from scratch, leading to a loop.

                  So I assume there's no way to tag messages in a single Postfix queue
                  with some sort of "already processed once -- let the secondary smtp
                  agent take care of this one" marker? Instead, doing this requires a
                  separate Postfix instance (with its own separate queue)?

                  Rich Wales
                  richw@...
                • Victor Duchovni
                  ... Yes, and this is no less efficient, and in fact the configuration is IMHO simpler, and mailq(1) output is more meaningful, ... -- Viktor.
                  Message 8 of 10 , May 2, 2011
                  • 0 Attachment
                    On Mon, May 02, 2011 at 02:33:31PM -0700, Rich Wales wrote:

                    > > The mail must be handled by a second separately configured smtp(8)
                    > > delivery agent, and therefore, must be placed in a separate queue,
                    > > which requires a separate instance. If the message were handed off
                    > > to the same queue-manager it would loop.
                    >
                    > Ah. And, not surprisingly, when I tried to solve my problem using an
                    > alternative smtp in my master.cf, it did precisely that -- the second
                    > smtp threw the message back into the queue, and my one-and-only Postfix
                    > dutifully pulled it out of the queue and processed it all over again
                    > from scratch, leading to a loop.
                    >
                    > So I assume there's no way to tag messages in a single Postfix queue
                    > with some sort of "already processed once -- let the secondary smtp
                    > agent take care of this one" marker? Instead, doing this requires a
                    > separate Postfix instance (with its own separate queue)?

                    Yes, and this is no less efficient, and in fact the configuration is
                    IMHO simpler, and mailq(1) output is more meaningful, ...

                    --
                    Viktor.
                  • Rich Wales
                    ... Thanks again. As it turned out, I was able to find a way to authenticate to my web hosting service s outbound SMTP server using a single username/password
                    Message 9 of 10 , May 2, 2011
                    • 0 Attachment
                      > Yes, and this is no less efficient, and in fact the configuration
                      > is IMHO simpler, and mailq(1) output is more meaningful, ...

                      Thanks again.

                      As it turned out, I was able to find a way to authenticate to my web
                      hosting service's outbound SMTP server using a single username/password
                      combo -- and thereby stop having to use sender-dependent authentication,
                      and thus avoid the problems which accompanied the sending of my auth
                      credentials to random servers, without needing to do anything complex.

                      For the time being, I'm happy. :-) Thanks to everyone for their help.

                      Rich Wales
                      richw@...
                    Your message has been successfully submitted and would be delivered to recipients shortly.