Loading ...
Sorry, an error occurred while loading the content.

Using error(8) mailer with sender_dependent_relayhost_maps

Expand Messages
  • Adi Pircalabu
    With Postfix 2.8.4 I want to selectively disable relaying for certain SMTP-authenticated users, but unfortunately in this case I don t have access to the
    Message 1 of 4 , Nov 29, 2012
    • 0 Attachment
      With Postfix 2.8.4 I want to selectively disable relaying for certain
      SMTP-authenticated users, but unfortunately in this case I don't have
      access to the authentication database which is managed by a 3rd party
      auxprop_plugin. The same database is used for both SMTP and IMAP/POP3
      authentication and there's no known mechanism at the moment to only
      disable SMTP authentication, but still allow IMAP/POP3 logins.
      At the same time, the server should still accept email that have these
      users' email address as the envelope sender. To make it even more
      complicated, everything is happening currently on port 25.
      I tried to use sender dependent authentication with a dedicated
      transport as described here:
      http://www.postfix.org/SASL_README.html#client_sasl_sender
      http://www.postfix.org/transport.5.html
      Now I have the following entry in /etc/postfix/main.cf:

      sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_maps

      In /etc/postfix/relayhost_maps I have an entry like this:

      user@... error:sender can not be authenticated on this server

      Then, when sending an email from user@... after an SMTP-auth
      session I'd expect to get a bounce message with a non-delivery reason
      as per http://www.postfix.org/error.8.html, but instead I get something
      like this is syslog:

      postfix/smtpd[26240]: E67221280002: client=client[x.x.x.x], sasl_method=CRAM-MD5, sasl_username=user@...
      postfix/qmgr[24064]: E67221280002: from=user@..., size=1242, nrcpt=1 (queue active)
      postfix/smtp[26414]: fatal: unknown service: error sender can not be authenticated on this server/tcp
      postfix/smtpd[26240]: disconnect from client=client[x.x.x.x]
      postfix/qmgr[24064]: warning: private/server_ip- socket: malformed response
      postfix/qmgr[24064]: warning: transport server_ip- failure -- see a previous warning/fatal/panic logfile record for the problem description
      postfix/master[24062]: warning: process /usr/libexec/postfix/smtp pid 26414 exit status 1
      postfix/master[24062]: warning: /usr/libexec/postfix/smtp: bad command startup -- throttling
      postfix/error[26248]: E67221280002: to=<user2@...>, relay=none, delay=1.4, delays=0.4/1/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)

      Any idea, what am I missing to get this configured properly?

      Thanks,
      Adi
    • Viktor Dukhovni
      ... Not surprisingly, when you set the relay host to a transport:nexthop it does not work. You may want to try:
      Message 2 of 4 , Nov 29, 2012
      • 0 Attachment
        On Fri, Nov 30, 2012 at 04:18:14PM +1100, Adi Pircalabu wrote:

        > With Postfix 2.8.4 I want to selectively disable relaying for certain
        > SMTP-authenticated users, but unfortunately in this case I don't have
        > access to the authentication database which is managed by a 3rd party
        > auxprop_plugin. The same database is used for both SMTP and IMAP/POP3
        > authentication and there's no known mechanism at the moment to only
        > disable SMTP authentication, but still allow IMAP/POP3 logins.
        > At the same time, the server should still accept email that have these
        > users' email address as the envelope sender. To make it even more
        > complicated, everything is happening currently on port 25.
        > I tried to use sender dependent authentication with a dedicated
        > transport as described here:
        > http://www.postfix.org/SASL_README.html#client_sasl_sender
        > http://www.postfix.org/transport.5.html
        > Now I have the following entry in /etc/postfix/main.cf:
        >
        > sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_maps

        Not surprisingly, when you set the relay host to a transport:nexthop
        it does not work. You may want to try:

        http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps

        --
        Viktor.
      • Noel Jones
        ... Alternately, you can use a policy service, such as postfwd, that rejects the mail when sasl_username is a disabled user.
        Message 3 of 4 , Nov 29, 2012
        • 0 Attachment
          On 11/29/2012 11:35 PM, Viktor Dukhovni wrote:
          > On Fri, Nov 30, 2012 at 04:18:14PM +1100, Adi Pircalabu wrote:
          >
          >> With Postfix 2.8.4 I want to selectively disable relaying for certain
          >> SMTP-authenticated users, but unfortunately in this case I don't have
          >> access to the authentication database which is managed by a 3rd party
          >> auxprop_plugin. The same database is used for both SMTP and IMAP/POP3
          >> authentication and there's no known mechanism at the moment to only
          >> disable SMTP authentication, but still allow IMAP/POP3 logins.
          >> At the same time, the server should still accept email that have these
          >> users' email address as the envelope sender. To make it even more
          >> complicated, everything is happening currently on port 25.
          >> I tried to use sender dependent authentication with a dedicated
          >> transport as described here:
          >> http://www.postfix.org/SASL_README.html#client_sasl_sender
          >> http://www.postfix.org/transport.5.html
          >> Now I have the following entry in /etc/postfix/main.cf:
          >>
          >> sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_maps
          >
          > Not surprisingly, when you set the relay host to a transport:nexthop
          > it does not work. You may want to try:
          >
          > http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps
          >


          Alternately, you can use a policy service, such as postfwd, that
          rejects the mail when sasl_username is a disabled user.

          http://www.postfix.org/SMTPD_POLICY_README.html
          http://www.postfix.org/addon.html#policy
          http://postfwd.org/



          -- Noel Jones
        • Adi Pircalabu
          On Thu, 29 Nov 2012 23:57:37 -0600 ... [...] ... That was it, thanks! It now works and also helped to clarify the confusion made between
          Message 4 of 4 , Nov 29, 2012
          • 0 Attachment
            On Thu, 29 Nov 2012 23:57:37 -0600
            Noel Jones wrote:

            > On 11/29/2012 11:35 PM, Viktor Dukhovni wrote:
            > > On Fri, Nov 30, 2012 at 04:18:14PM +1100, Adi Pircalabu wrote:
            [...]
            > >> http://www.postfix.org/SASL_README.html#client_sasl_sender
            > >> http://www.postfix.org/transport.5.html
            > >> Now I have the following entry in /etc/postfix/main.cf:
            > >>
            > >> sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_maps
            > >
            > > Not surprisingly, when you set the relay host to a transport:nexthop
            > > it does not work. You may want to try:
            > >
            > > http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps

            That was it, thanks! It now works and also helped to clarify the
            confusion made between sender_dependent_relayhost_maps and
            sender_dependent_default_transport_maps

            > Alternately, you can use a policy service, such as postfwd, that
            > rejects the mail when sasl_username is a disabled user.
            >
            > http://www.postfix.org/SMTPD_POLICY_README.html
            > http://www.postfix.org/addon.html#policy
            > http://postfwd.org/

            I'm not using a policy service yet on this server, the aim in the
            medium term is to scale down the SMTP service and get the customers
            migrated on a different system.

            Thanks for your help.

            Adi
          Your message has been successfully submitted and would be delivered to recipients shortly.