Loading ...
Sorry, an error occurred while loading the content.

Re: SMTP authentication

Expand Messages
  • Reindl Harald
    ... because it is a really stupid idea to reject too soon and after that missing informations from logfiles which can be helpful if your user calls you for
    Message 1 of 14 , Mar 19, 2013
    • 0 Attachment
      Am 19.03.2013 18:47, schrieb Matteo Marescotti:
      > 250 DSN
      > mail from:<marescot@...>
      > 250 2.1.0 Ok
      > rcpt to:<marescot@...>
      > 554 5.7.1 <host[xxx.xxx.xxx.xxx]>: Client host rejected: Access denied
      >
      > because user authentication is now required. I simply wondered why the client is rejected after "rcpt to" and not
      > just after "mail from". Maybe there is no configuration which allows for rejecting an unauthenticated client after
      > the first command. I asked because you are certainly more familiar than me with Postfix configuration options.
      > Thank you anyway

      because it is a really stupid idea to reject too soon and
      after that missing informations from logfiles which can
      be helpful if your user calls you for support or you
      want provide the user actively support

      iPhones as exmaple are here regulary clients losing for
      whatever reason the auth-settings and try for weeks
      and months to submit the same message

      in such cases it is helful provide the user a logentry
      with MAIL FROM and MAIL TO because he thinks the
      message was sent
    • Viktor Dukhovni
      ... Sorry, I misread your post, I am too focused on TLS lately, yes rejection of transactions is deliberately delayed to RCPT TO, this makes it possible to
      Message 2 of 14 , Mar 19, 2013
      • 0 Attachment
        On Tue, Mar 19, 2013 at 06:47:42PM +0100, Matteo Marescotti wrote:

        > Il 19/03/2013 17:41, Viktor Dukhovni wrote:
        > >On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:
        > >
        > >>submission inet n - - - - smtpd
        > >> -o smtpd_tls_security_level=encrypt
        > >> -o smtpd_sasl_auth_enable=yes
        > >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        > >> -o milter_macro_daemon_name=ORIGINATING
        > >>...
        > >
        > >With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
        > >are allowed before STARTTLS. The other commands will be rejected,
        > >but of course we can't prevent the client from sending them.

        > I said Postfix accepts the MAIL FROM command before user
        > authentication, not before STARTTLS.

        Sorry, I misread your post, I am too focused on TLS lately, yes
        rejection of transactions is deliberately delayed to RCPT TO, this
        makes it possible to later figure out what was being rejected.
        A good MTA produces a good audit trail.

        --
        Viktor.
      • Matteo Marescotti
        ... I was sure there was a very good reason for that. Thank you very much to everybody. I learned something I could not figure out by myself. Matteo
        Message 3 of 14 , Mar 19, 2013
        • 0 Attachment
          Il 19/03/2013 19:30, Viktor Dukhovni ha scritto:
          > On Tue, Mar 19, 2013 at 06:47:42PM +0100, Matteo Marescotti wrote:
          >
          >> Il 19/03/2013 17:41, Viktor Dukhovni wrote:
          >>> On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:
          >>>
          >>>> submission inet n - - - - smtpd
          >>>> -o smtpd_tls_security_level=encrypt
          >>>> -o smtpd_sasl_auth_enable=yes
          >>>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          >>>> -o milter_macro_daemon_name=ORIGINATING
          >>>> ...
          >>> With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
          >>> are allowed before STARTTLS. The other commands will be rejected,
          >>> but of course we can't prevent the client from sending them.
          >> I said Postfix accepts the MAIL FROM command before user
          >> authentication, not before STARTTLS.
          > Sorry, I misread your post, I am too focused on TLS lately, yes
          > rejection of transactions is deliberately delayed to RCPT TO, this
          > makes it possible to later figure out what was being rejected.
          > A good MTA produces a good audit trail.
          >
          I was sure there was a very good reason for that. Thank you very much to
          everybody. I learned something I could not figure out by myself.

          Matteo
        Your message has been successfully submitted and would be delivered to recipients shortly.