Multiple sasl configuration

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple sasl configuration

Emmanuel Jaep

Hello,

 

I am currently managing a server that is used to send emails for multiple domains.

The main.cf currently look like this:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

 

 

# Debian specific:  Specifying a file name will cause the first

# line of that file to be used as the name.  The Debian default

# is /etc/mailname.

#myorigin = /etc/mailname

 

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

biff = no

 

# appending .domain is the MUA's job.

append_dot_mydomain = no

 

# Uncomment the next line to generate "delayed mail" warnings

#delay_warning_time = 4h

 

readme_directory = no

 

# TLS parameters

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem

smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

smtpd_use_tls=yes

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

 

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

# information on enabling SSL in the smtp client.

 

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

myhostname = hostname.domain.com

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

mydestination = $myhostname, hostname, localhost.localdomain, , localhost

relayhost = relay1.example.com:465

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

mailbox_size_limit = 0

recipient_delimiter = +

inet_interfaces = all

inet_protocols = all

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd

smtp_sasl_mechanism_filter =

smtp_sasl_security_options =

smtp_tls_security_level = encrypt

smtp_tls_wrappermode = yes

smtp_tls_mandatory_ciphers = high

canonical_maps = hash:/etc/postfix/canonical_maps

sender_canonical_maps = hash:/etc/postfix/sender_canonical_maps

header_checks = regexp:/etc/postfix/header_checks

sender_dependent_relayhost_maps = hash:/etc/postfix/sender_dependent_relayhost_maps

 

the /etc/postfix/sasl/passwd look like this:

relay1.example.com:465               username:password

relay2.dummy.com:465                 username:password

 

finally, the sender_dependent_relayhost_map looks like this:

@example.com relay1.example.com:465

@dummy.com relay2.dummy.com:465

 

Now, one of our customer would like to use an open relay (security is ensured by IP filtering).

Simply adding a line in the sender_dependent_relayhost_map does not seem to do the trick:

                @customer.com               openrelay.customer.com:25

 

Postfix still try to use sasl to authenticate to that server. My question is the following: Is there a way to use sasl (or not) on a per relay basis?

 

Thanks in advance for any pointer in the right direction,

 

Emmanuel

 

Reply | Threaded
Open this post in threaded view
|

Re: Multiple sasl configuration

Wietse Venema
Emmanuel Jaep:
> Postfix still try to use sasl to authenticate to that server. My
> question is the following: Is there a way to use sasl (or not) on
> a per relay basis?

Typically postfix blocks relaying with something like:

    smtpd_relay_restrictions =
        permit_mynetworks, permit_sasl_authenticated ...

The easiest 'fix' is to append the remote server's IP address (or
a network/mask pattern) to your mynetworks setting.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Multiple sasl configuration

Emmanuel Jaep
Hi Wietse,

Thanks for the quick reply.
Typically, I could update the mynetworks line to main.cf stating:
mynetworks  = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 openrelay.customer.com:25

and keep the line within the sender_dependent_relayhost_map.

Did I get you right?

Emmanuel

On 22.10.18, 16:11, "Wietse Venema" <[hidden email] on behalf of [hidden email]> wrote:

    permit_mynetworks


Reply | Threaded
Open this post in threaded view
|

Re: Multiple sasl configuration

Wietse Venema
Emmanuel Jaep:
> Hi Wietse,
>
> Thanks for the quick reply.
> Typically, I could update the mynetworks line to main.cf stating:
> mynetworks  = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 openrelay.customer.com:25

This means that you have a lookup table named '25' that is
accessed with the 'openrelay.customer.com' driver.

I was thinking of listing the server's IP address (or hostname, but
that can block mail falsely when DNS lookup fails due to some network
glitch).

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Multiple sasl configuration

Emmanuel Jaep
In reply to this post by Wietse Venema
Hi,

I just tried the configuration you were proposing:
Main.cf
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 openrelay.customer.com
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination


But I keep on getting:
postfix/smtp[2540]: SSL_connect error to openrelay.customer.com [xx.xx.xx.xx]:25: -1
postfix/smtp[2540]: warning: TLS library problem: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c

I believe that the parameters
smtpd_use_tls=yes
smtp_sasl_auth_enable = yes

are forcing to use sasl...

Emmanuel


On 22.10.18, 16:11, "Wietse Venema" <[hidden email] on behalf of [hidden email]> wrote:

    Emmanuel Jaep:
    > Postfix still try to use sasl to authenticate to that server. My
    > question is the following: Is there a way to use sasl (or not) on
    > a per relay basis?
   
    Typically postfix blocks relaying with something like:
   
        smtpd_relay_restrictions =
    permit_mynetworks, permit_sasl_authenticated ...
   
    The easiest 'fix' is to append the remote server's IP address (or
    a network/mask pattern) to your mynetworks setting.
   
    Wietse
   


Reply | Threaded
Open this post in threaded view
|

Re: Multiple sasl configuration

Viktor Dukhovni


> On Oct 22, 2018, at 11:01 AM, Emmanuel Jaep <[hidden email]> wrote:
>
> I just tried the configuration you were proposing:
> Main.cf
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 openrelay.customer.com
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

Those are Postfix SMTP *server* settings that only affect *inbound* email.

> But I keep on getting:
> postfix/smtp[2540]: SSL_connect error to openrelay.customer.com [xx.xx.xx.xx]:25: -1
> postfix/smtp[2540]: warning: TLS library problem: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c

These are logs from the Postfix SMTP *client*, trying to send *outbound* email.
They are completely unrelated.

> I believe that the parameters
> smtpd_use_tls=yes

This is an unrelated *server* setting.

> smtp_sasl_auth_enable = yes

This enables SASL outbound, but can't possibly cause TLS/SSL connection problems.
DO NOT confuse SSL and SASL.

> are forcing to use sasl...

No.  The real issue is that "openrelay.customer.com" has non-working STARTTLS.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Multiple sasl configuration

Emmanuel Jaep
Hi Viktor,

Thanks for the clarification. You are absolutely right, I must be mixing up SSL and SASL. I'll make sure that it is clear to me tonight.

You are also right that openrelay.customer.com has a non-working STARTTLS. They actually have neither authentication nor encryption. This is actually my current 'challenge': how to set this relay up without encryption and authentication while keeping our current config for other relays (encryption + authentication).

Emmanuel

On 22.10.18, 18:36, "Viktor Dukhovni" <[hidden email] on behalf of [hidden email]> wrote:

   
   
    > On Oct 22, 2018, at 11:01 AM, Emmanuel Jaep <[hidden email]> wrote:
    >
    > I just tried the configuration you were proposing:
    > Main.cf
    > mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 openrelay.customer.com
    > smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
   
    Those are Postfix SMTP *server* settings that only affect *inbound* email.
   
    > But I keep on getting:
    > postfix/smtp[2540]: SSL_connect error to openrelay.customer.com [xx.xx.xx.xx]:25: -1
    > postfix/smtp[2540]: warning: TLS library problem: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c
   
    These are logs from the Postfix SMTP *client*, trying to send *outbound* email.
    They are completely unrelated.
   
    > I believe that the parameters
    > smtpd_use_tls=yes
   
    This is an unrelated *server* setting.
   
    > smtp_sasl_auth_enable = yes
   
    This enables SASL outbound, but can't possibly cause TLS/SSL connection problems.
    DO NOT confuse SSL and SASL.
   
    > are forcing to use sasl...
   
    No.  The real issue is that "openrelay.customer.com" has non-working STARTTLS.
   
    --
    Viktor.
   
   


Reply | Threaded
Open this post in threaded view
|

Re: Multiple sasl configuration

Viktor Dukhovni
> On Oct 22, 2018, at 1:05 PM, Emmanuel Jaep <[hidden email]> wrote:
>
> You are also right that openrelay.customer.com has a non-working STARTTLS. They actually have neither authentication nor encryption. This is actually my current 'challenge': how to set this relay up without encryption and authentication while keeping our current config for other relays (encryption + authentication).

You can configure a separate transport for this destination.  In the
master.cf entry for that transport (clone of "smtp unix" under a different
name) you can change the SASL options as needed for that destination.

As for TLS, you can, if needed, use smtp_tls_policy_maps to change the
TLS security level for that domain, or make the change in the dedicated
transport in master.cf.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Multiple sasl configuration

B. Reino
In reply to this post by Emmanuel Jaep
On Mon, 22 Oct 2018, Emmanuel Jaep wrote:

> You are also right that openrelay.customer.com has a non-working
> STARTTLS. They actually have neither authentication nor encryption. This
> is actually my current 'challenge': how to set this relay up without
> encryption and authentication while keeping our current config for other
> relays (encryption + authentication).

If OK, you might also want to change:

  smtp_tls_security_level = encrypt
to
  smtp_tls_security_level = may

so that TLS is opportunistic rather than enforced.

Cheers,

--
Bernardo.