Loading ...
Sorry, an error occurred while loading the content.

Send email for users from any location

Expand Messages
  • Dotan Cohen
    I would like to configure my Postfix machine to send mail from my users from any location, but I do not want to set it as an open relay. Currently, I restrict
    Message 1 of 8 , Jul 8, 2013
    • 0 Attachment
      I would like to configure my Postfix machine to send mail from my
      users from any location, but I do not want to set it as an open relay.
      Currently, I restrict users via mynetworks:

      mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 1.2.3.4
      (Office IP address)

      If I change this to 0.0.0.0/0 then Postfix will be a dangerous open
      relay. How might I have the users use their IMAP credentials to send
      mail?

      Form googling I found this "solution" online but it does not work as I
      expected. I added the following lines to main.cf:
      smtp_sasl_auth_enable = yes
      smtp_sasl_password_maps = hash:/etc/postfix/password
      smtp_sasl_security_options =

      However, I suspect that I have the wrong format in
      /etc/postfix/password and thus also in /etc/postfix/password.db


      --
      Dotan Cohen

      http://gibberish.co.il
      http://what-is-what.com
    • btb
      ... instead of googling, simply use the postfix documentation that came with the software. your goal is accomplished by implementing smtp auth, which postfix
      Message 2 of 8 , Jul 8, 2013
      • 0 Attachment
        On 2013.07.08 08.25, Dotan Cohen wrote:
        > Form googling I found this "solution" online but it does not work as I
        > expected.

        instead of googling, simply use the postfix documentation that came with
        the software. your goal is accomplished by implementing smtp auth,
        which postfix offers by way of sasl authentication. to that end, this
        is documented in SASL_README. i would recommend that you use dovecot
        rather than cyrus for sasl. while SASL_README of course includes a fair
        amount of documentation for the associated sasl software, you'll likely
        also want to reference the documentation provided with that software as
        well.

        on a related note, as this is for humans to send mail from their mail
        clients, you'll want to configure a proper submission [port 587]
        service. see the commented example in master.cf for a starting point.
        smtp auth should be offered only via the submission service, and not via
        mx service [port 25]. additionally, encryption should be required for
        submission traffic.

        -ben
      • Dotan Cohen
        ... Thank you! ... Are you referring to this: #smtps inet n - - - - smtpd # -o syslog_name=postfix/smtps # -o
        Message 3 of 8 , Jul 8, 2013
        • 0 Attachment
          On Mon, Jul 8, 2013 at 5:27 PM, btb <btb@...> wrote:
          > instead of googling, simply use the postfix documentation that came with the
          > software. your goal is accomplished by implementing smtp auth, which
          > postfix offers by way of sasl authentication. to that end, this is
          > documented in SASL_README. i would recommend that you use dovecot rather
          > than cyrus for sasl. while SASL_README of course includes a fair amount of
          > documentation for the associated sasl software, you'll likely also want to
          > reference the documentation provided with that software as well.
          >

          Thank you!

          > on a related note, as this is for humans to send mail from their mail
          > clients, you'll want to configure a proper submission [port 587] service.
          > see the commented example in master.cf for a starting point. smtp auth
          > should be offered only via the submission service, and not via mx service
          > [port 25]. additionally, encryption should be required for submission
          > traffic.
          >

          Are you referring to this:
          #smtps inet n - - - - smtpd
          # -o syslog_name=postfix/smtps
          # -o smtpd_tls_wrappermode=yes
          # -o smtpd_sasl_auth_enable=yes
          # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          # -o milter_macro_daemon_name=ORIGINATING

          --
          Dotan Cohen

          http://gibberish.co.il
          http://what-is-what.com
        • Wietse Venema
          ... I think he meant the service called submission . smtps is obsolete, but apparently some software still uses it. Wietse
          Message 4 of 8 , Jul 8, 2013
          • 0 Attachment
            Dotan Cohen:
            > > on a related note, as this is for humans to send mail from their mail
            > > clients, you'll want to configure a proper submission [port 587] service.
            > > see the commented example in master.cf for a starting point. smtp auth
            > > should be offered only via the submission service, and not via mx service
            > > [port 25]. additionally, encryption should be required for submission
            > > traffic.
            > >
            >
            > Are you referring to this:
            > #smtps inet n - - - - smtpd

            I think he meant the service called "submission". "smtps" is
            obsolete, but apparently some software still uses it.

            Wietse
          • Peter
            ... No, the service you re looking for is submission , not smtps . SMTPS is a deprecated means of submission and you only need it if your users are using a
            Message 5 of 8 , Jul 8, 2013
            • 0 Attachment
              On 07/09/2013 05:10 AM, Dotan Cohen wrote:
              >> on a related note, as this is for humans to send mail from their mail
              >> clients, you'll want to configure a proper submission [port 587] service.
              >> see the commented example in master.cf for a starting point. smtp auth
              >> should be offered only via the submission service, and not via mx service
              >> [port 25]. additionally, encryption should be required for submission
              >> traffic.
              >
              > Are you referring to this:
              > #smtps inet n - - - - smtpd
              > # -o syslog_name=postfix/smtps
              > # -o smtpd_tls_wrappermode=yes
              > # -o smtpd_sasl_auth_enable=yes
              > # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
              > # -o milter_macro_daemon_name=ORIGINATING

              No, the service you're looking for is "submission", not "smtps". SMTPS
              is a deprecated means of submission and you only need it if your users
              are using a very old version of one particular email client in which
              case they likely have other problems.


              Peter
            • Dotan Cohen
              ... Thank you Peter. Interestingly, even after enabling submission (perhaps incorrectly, I m looking into that) I still get this in the logs when I try to send
              Message 6 of 8 , Jul 8, 2013
              • 0 Attachment
                On Mon, Jul 8, 2013 at 11:04 PM, Peter <peter@...> wrote:
                > No, the service you're looking for is "submission", not "smtps". SMTPS is a
                > deprecated means of submission and you only need it if your users are using
                > a very old version of one particular email client in which case they likely
                > have other problems.
                >

                Thank you Peter. Interestingly, even after enabling submission
                (perhaps incorrectly, I'm looking into that) I still get this in the
                logs when I try to send mail via postfix:

                11993 Jul 9 05:02:11 awsBeta postfix/smtpd[6734]: warning: hostname
                bzq-219-241-14.static.bezeqint.net does not resolve to address
                212.179.241.14: Name or service not known
                11994 Jul 9 05:02:11 awsBeta postfix/smtpd[6734]: connect from
                unknown[212.179.241.14]
                11995 Jul 9 05:02:12 awsBeta postfix/smtpd[6734]: NOQUEUE: reject:
                RCPT from unknown[212.179.241.14]: 554 5.7.1
                <dotancohen@...>: Relay access denied;
                from=<fs@...> to=<dotancohen@...> proto=ESMTP
                helo=<[10.0.0.154]>
                11996 Jul 9 05:02:14 awsBeta postfix/smtpd[6734]: disconnect from
                unknown[212.179.241.14]

                212.179.241.14 is the address where my desktop is located, and bzq-*
                obviously by the name refers to my ISP (Bezeq). It seems that even
                with submission enabled, Postfix wants the IP address whitelisted in
                "mydomains". I don't even see in the logs that Postfix bothered
                checking the submission credentials, it rejected bases on IP address
                before even getting that far.

                What else must be configured to remove the IP address whitelist and go
                right to the submission credentials check?

                Thank you for helping me learn! I've gone over these tutorials but I'm
                rather stuck:
                http://www.postfix.org/VIRTUAL_README.html
                http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
                https://help.ubuntu.com/community/Postfix


                --
                Dotan Cohen

                http://gibberish.co.il
                http://what-is-what.com
              • Peter
                ... This simply means that either your email client is not correctly configured to send SASL AUTH credentials, or postfix is not correctly configured to
                Message 7 of 8 , Jul 8, 2013
                • 0 Attachment
                  On 07/09/2013 05:13 PM, Dotan Cohen wrote:
                  > 212.179.241.14 is the address where my desktop is located, and bzq-*
                  > obviously by the name refers to my ISP (Bezeq). It seems that even
                  > with submission enabled, Postfix wants the IP address whitelisted in
                  > "mydomains". I don't even see in the logs that Postfix bothered
                  > checking the submission credentials, it rejected bases on IP address
                  > before even getting that far.

                  This simply means that either your email client is not correctly
                  configured to send SASL AUTH credentials, or postfix is not correctly
                  configured to receive them. There is more to SASL AUTH than just
                  enabling submission. See http://www.postfix.org/SASL_README.html for
                  more info.

                  > What else must be configured to remove the IP address whitelist and go
                  > right to the submission credentials check?

                  You can remove permit_mynetworks if you want, there is nothing wrong
                  with this, but it won't solve your problem, your problem is what I
                  stated above.

                  > http://www.postfix.org/VIRTUAL_README.html
                  > http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
                  > https://help.ubuntu.com/community/Postfix

                  Read the SASL_README document I linked to above.


                  Peter
                • Hans Spaans
                  ... Firefox OS Simulator 3.0.1 still prefers, read demands it, smtps over submission sadly enough. Hopefully they fix it or some helpdesks will have a fun time
                  Message 8 of 8 , Jul 9, 2013
                  • 0 Attachment
                    wietse@... schreef op 2013-07-08 20:36:
                    > Dotan Cohen:
                    >> > on a related note, as this is for humans to send mail from their mail
                    >> > clients, you'll want to configure a proper submission [port 587] service.
                    >> > see the commented example in master.cf for a starting point. smtp auth
                    >> > should be offered only via the submission service, and not via mx service
                    >> > [port 25]. additionally, encryption should be required for submission
                    >> > traffic.
                    >> >
                    >>
                    >> Are you referring to this:
                    >> #smtps inet n - - - - smtpd
                    >
                    > I think he meant the service called "submission". "smtps" is
                    > obsolete, but apparently some software still uses it.

                    Firefox OS Simulator 3.0.1 still prefers, read demands it, smtps over
                    submission sadly enough. Hopefully they fix it or some helpdesks will
                    have a fun time after the release of their first phone.

                    Hans
                  Your message has been successfully submitted and would be delivered to recipients shortly.