Loading ...
Sorry, an error occurred while loading the content.

Re: Enabling sender-dependent authentication only for fallback relay?

Expand Messages
  • Wietse Venema
    ... There is a lot of did not work without concrete detail: actual configuration, actual error responses. See my response in a recent thread:
    Message 1 of 10 , May 2, 2011
    • 0 Attachment
      Rich Wales:
      > Earlier, I wrote:
      >
      > > I'm starting to ponder the idea of setting up a separate service in
      > > my master.cf file -- similar to the standard "smtp" service, but with
      > > a few parameters overridden -- and define that separate service as
      > > my smtp_fallback_relay, and have the separate service use my *real*
      > > fallback relay as its relay host, and enable sender-dependent
      > > authentication in the separate service instead of in my standard
      > > SMTP service. But I realize that would be a messy kludge, and I'd
      > > prefer not to do it this way except as a last resort.
      >
      > That idea doesn't appear to work -- the separate SMTP service considered
      > the mail passed to it by the main Postfix instance to be unauthenticated
      > (because it wasn't coming directly from my user agent?) and insisted it
      > wouldn't act as an open relay.
      >
      > I tried the option smtpd_recipient_restrictions= in the separate SMTP
      > service, but that didn't work -- Postfix demands that this parameter must
      > contain at least one working instance of reject_unauth_destination, reject,
      > defer, or defer_if_permit -- i.e., it looks like it simply will not allow
      > itself to be configured as an open relay, period, even if I'm sure I know
      > what I'm doing.
      >
      > And there doesn't seem to be any way for me to use my web hosting service
      > (Bluehost) as my fallback without doing sender-dependent authentication;
      > their tech support's suggestion that I try using my master domain account
      > cPanel login info as a site-wide, sender-independent authentication did
      > not work.
      >
      > So I appear to be stuck -- I can't avoid the situation (as I described in
      > my e-mail from last night; see details there) where a random destination
      > MX is deciding to ask me for authentication, and it understandably doesn't
      > like my sender-dependent authentication info intended only for my fallback
      > relay, and I can't selectively give out or withhold my authentication info
      > because sender-dependent authentication cares *only* about the sender and
      > apparently can't be told to care about the identity of the destination host.
      >
      > Any suggestions would be welcome.

      There is a lot of "did not work" without concrete detail:
      actual configuration, actual error responses.

      See my response in a recent thread:
      http://archives.neohapsis.com/archives/postfix/2011-05/0020.html

      Wietse
    • Victor Duchovni
      ... You have to use a fallback relay setting that sends the mail to a second Postfix instance on your machine, and have that instance send all mail to the
      Message 2 of 10 , May 2, 2011
      • 0 Attachment
        On Sun, May 01, 2011 at 09:46:51PM -0700, Rich Wales wrote:

        > [Short version of my question: Is there any way to enable sender-
        > dependent authentication *only* when mail is being sent out via my
        > smtp_fallback_relay host, and *not* when I am sending mail directly
        > to a destination MX? I do not have any "relayhost" defined because
        > I am trying to send mail directly to a destination.]

        You have to use a fallback relay setting that sends the mail to a second
        Postfix instance on your machine, and have that instance send all mail
        to the relay, with sender-dependent authentication.

        smtp_fallback_relay=[127.0.0.1]:10035

        This would be a full Postfix instance, not just another master.cf entry:

        http://www.postfix.org/MULTI_INSTANCE_README.html

        --
        Viktor.
      • Rich Wales
        ... With all possible respect, Wietse, I believe I already provided ample concrete detail in my original message from last night. If you would prefer to
        Message 3 of 10 , May 2, 2011
        • 0 Attachment
          > There is a lot of "did not work" without concrete detail: actual
          > configuration, actual error responses. See my response in a recent
          > thread: . . .

          With all possible respect, Wietse, I believe I already provided ample
          concrete detail in my original message from last night. If you would
          prefer to simply ignore my second message (in which I tried to say
          that a possible workaround I had considered doesn't seem to work) and
          consider only my original message (perhaps ignoring the paragraph near
          the end starting with "I'm starting to ponder"), I won't object.

          Rich Wales
          richw@...
        • Rich Wales
          ... Thanks, Victor. A followup question, if I may. Briefly, can you help me understand what is going on in a situation like mine that will require the use of
          Message 4 of 10 , May 2, 2011
          • 0 Attachment
            > You have to use a fallback relay setting that sends the mail to a second
            > Postfix instance on your machine, and have that instance send all mail
            > to the relay, with sender-dependent authentication. This would be a full
            > Postfix instance, not just another master.cf entry:

            Thanks, Victor.

            A followup question, if I may. Briefly, can you help me understand what is
            going on in a situation like mine that will require the use of a second,
            completely separate Postfix instance (and precludes doing what I want to do
            in a separate master.cf entry)?

            Rich Wales
            richw@...
          • Victor Duchovni
            ... The mail must be handled by a second separately configured smtp(8) delivery agent, and therefore, must be placed in a separate queue, which requires a
            Message 5 of 10 , May 2, 2011
            • 0 Attachment
              On Mon, May 02, 2011 at 02:00:52PM -0700, Rich Wales wrote:

              > > You have to use a fallback relay setting that sends the mail to a second
              > > Postfix instance on your machine, and have that instance send all mail
              > > to the relay, with sender-dependent authentication. This would be a full
              > > Postfix instance, not just another master.cf entry:
              >
              > Thanks, Victor.
              >
              > A followup question, if I may. Briefly, can you help me understand what is
              > going on in a situation like mine that will require the use of a second,
              > completely separate Postfix instance (and precludes doing what I want to do
              > in a separate master.cf entry)?

              The mail must be handled by a second separately configured smtp(8) delivery
              agent, and therefore, must be placed in a separate queue, which requires
              a separate instance.

              If the message were handed off to the same queue-manager it would loop.

              --
              Viktor.
            • Rich Wales
              ... Ah. And, not surprisingly, when I tried to solve my problem using an alternative smtp in my master.cf, it did precisely that -- the second smtp threw the
              Message 6 of 10 , May 2, 2011
              • 0 Attachment
                > The mail must be handled by a second separately configured smtp(8)
                > delivery agent, and therefore, must be placed in a separate queue,
                > which requires a separate instance. If the message were handed off
                > to the same queue-manager it would loop.

                Ah. And, not surprisingly, when I tried to solve my problem using an
                alternative smtp in my master.cf, it did precisely that -- the second
                smtp threw the message back into the queue, and my one-and-only Postfix
                dutifully pulled it out of the queue and processed it all over again
                from scratch, leading to a loop.

                So I assume there's no way to tag messages in a single Postfix queue
                with some sort of "already processed once -- let the secondary smtp
                agent take care of this one" marker? Instead, doing this requires a
                separate Postfix instance (with its own separate queue)?

                Rich Wales
                richw@...
              • Victor Duchovni
                ... Yes, and this is no less efficient, and in fact the configuration is IMHO simpler, and mailq(1) output is more meaningful, ... -- Viktor.
                Message 7 of 10 , May 2, 2011
                • 0 Attachment
                  On Mon, May 02, 2011 at 02:33:31PM -0700, Rich Wales wrote:

                  > > The mail must be handled by a second separately configured smtp(8)
                  > > delivery agent, and therefore, must be placed in a separate queue,
                  > > which requires a separate instance. If the message were handed off
                  > > to the same queue-manager it would loop.
                  >
                  > Ah. And, not surprisingly, when I tried to solve my problem using an
                  > alternative smtp in my master.cf, it did precisely that -- the second
                  > smtp threw the message back into the queue, and my one-and-only Postfix
                  > dutifully pulled it out of the queue and processed it all over again
                  > from scratch, leading to a loop.
                  >
                  > So I assume there's no way to tag messages in a single Postfix queue
                  > with some sort of "already processed once -- let the secondary smtp
                  > agent take care of this one" marker? Instead, doing this requires a
                  > separate Postfix instance (with its own separate queue)?

                  Yes, and this is no less efficient, and in fact the configuration is
                  IMHO simpler, and mailq(1) output is more meaningful, ...

                  --
                  Viktor.
                • Rich Wales
                  ... Thanks again. As it turned out, I was able to find a way to authenticate to my web hosting service s outbound SMTP server using a single username/password
                  Message 8 of 10 , May 2, 2011
                  • 0 Attachment
                    > Yes, and this is no less efficient, and in fact the configuration
                    > is IMHO simpler, and mailq(1) output is more meaningful, ...

                    Thanks again.

                    As it turned out, I was able to find a way to authenticate to my web
                    hosting service's outbound SMTP server using a single username/password
                    combo -- and thereby stop having to use sender-dependent authentication,
                    and thus avoid the problems which accompanied the sending of my auth
                    credentials to random servers, without needing to do anything complex.

                    For the time being, I'm happy. :-) Thanks to everyone for their help.

                    Rich Wales
                    richw@...
                  Your message has been successfully submitted and would be delivered to recipients shortly.