Right way to force autresponder script to authenticate against postfix

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Right way to force autresponder script to authenticate against postfix

Pau Peris
I'm running Postfix 2.11.1 and i've configured an autoresponder by
adding those lines to postfix's master.cf

postfix_response    unix  -       n       n       -       -       pipe
   flags=Rq user=postfix_response
argv=/var/spool/postfix_response/vacation.pl -f ${sender} --
${recipient}

the problem is the vacation.pl script isn't authenticating against
postfix when trying to send the email via sendmail and as these are my
requirements

smtpd_relay_restrictions =
                            permit_mynetworks,
                            permit_sasl_authenticated,
                            reject_unauth_destination

when the scripts tries to autorespond it gets:

 ====== 2016/03/07 13:20:15 ======
[STRIP RECIPIENTS]:  |  | [hidden email]
====== 2016/03/07 13:20:15 ======
[PM]:  | [hidden email]
====== 2016/03/07 13:20:15 ======
[FOUND VACATION]:  |  | [hidden email] | [hidden email] |
[hidden email]
====== 2016/03/07 13:20:15 ======
[SEND RESPONSE] for :
 | FROM: [hidden email] (orig_to: [hidden email])
 | TO: [hidden email]
 | VACATION SUBJECT: test vac
 | VACATION BODY: test vac

    ====== 2016/03/07 13:20:16 ======
Mail::Sendmail said :Mail::Sendmail v. 0.79_16  - Mon Mar  7 13:20:15 2016
Date: Mon, 7 Mar 2016 13:20:15 +0100
Server: localhost Port: 25
From: [hidden email]
Subject: test vac
FAILED To: [hidden email] (554 5.7.1 : Relay access denied)

The question is, does any one how should i proceed in order to let the
script authenticate while trying to respond? The ideal would be to
authenticate using the from email address but for privacy matters
there's no access to that password. Does any one know how should i
proceed?

If i create a specific virtual user to send autoresponse emails then
this user email address needs to be used in the from field as this is
a restriction requirement so no one can send emails on behalf of other
users:

smtpd_sender_restrictions =
...
...
                                 reject_authenticated_sender_login_mismatch,

Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Wietse Venema
Pau Peris:

> smtpd_relay_restrictions =
>                             permit_mynetworks,
>                             permit_sasl_authenticated,
>                             reject_unauth_destination
>     ====== 2016/03/07 13:20:16 ======
> Mail::Sendmail said :Mail::Sendmail v. 0.79_16  - Mon Mar  7 13:20:15 2016
> Date: Mon, 7 Mar 2016 13:20:15 +0100
> Server: localhost Port: 25
> From: [hidden email]
> Subject: test vac
> FAILED To: [hidden email] (554 5.7.1 : Relay access denied)

Add "localhost" to mynetworks (or "127.0.0.1, ::1").

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Pau Peris

Hi Wietse,

Thanks a lot for you reply but  I already added those addresses seven  first configured Postfix but my restrictions require to authenticate wh3n sending emails to end destinations which are not local host.

I'll try to paste my Postfix confirm tomorrow to see I'd there's something I sellouts fix/improve.

Thanks!!!

___
Sent from my Android phone, excuse my brevity.

On Mar 7, 2016 19:15, "Wietse Venema" <[hidden email]> wrote:
Pau Peris:
> smtpd_relay_restrictions =
>                             permit_mynetworks,
>                             permit_sasl_authenticated,
>                             reject_unauth_destination
>     ====== 2016/03/07 13:20:16 ======
> Mail::Sendmail said :Mail::Sendmail v. 0.79_16  - Mon Mar  7 13:20:15 2016
> Date: Mon, 7 Mar 2016 13:20:15 +0100
> Server: localhost Port: 25
> From: [hidden email]
> Subject: test vac
> FAILED To: [hidden email] (554 5.7.1 : Relay access denied)

Add "localhost" to mynetworks (or "127.0.0.1, ::1").

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Wietse Venema
Pau Peris:
> Hi Wietse,
>
> Thanks a lot for you reply but  I already added those addresses seven
> first configured Postfix but my restrictions require to authenticate wh3n
> sending emails to end destinations which are not local host.

According to this:

 smtpd_relay_restrictions =
                             permit_mynetworks,
                             permit_sasl_authenticated,
                             reject_unauth_destination

you intend to allow relaying from clients that match mynetworks.

However, cut-and-paste from main.cf does not really tell you how
Postfix is configured. Instead,let Postfix tell you:

postconf mynetworks smtpd_recipient_restrictions smtpd_relay_restrictions
postconf -P '*/*/smtpd_recipient_restrictions' '*/*/smtpd_relay_restrictions'

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Pau Peris
Hi Wietse,

thank again for your help. Here goes the info, it looks good but
obviously it isn't as long as vacation.pl keeps getting (554 5.7.1 :
Relay access denied).

postconf mynetworks smtpd_recipient_restrictions smtpd_relay_restrictions
mynetworks = 127.0.0.1/32 91.121.120.208/32 [::1]/128
[2001:41d0:1:afd0::1]/128 [fe80::4e72:b9ff:feb1:a60e]/128
smtpd_recipient_restrictions = reject_unauth_pipelining,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
permit_sasl_authenticated, check_policy_service
unix:private/policy-spf, reject_unauth_destination,
check_policy_service inet:127.0.0.1:10023, ,permit
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination

postconf -P '*/*/smtpd_recipient_restrictions'
127.0.0.1:10025/inet/smtpd_recipient_restrictions = permit_mynetworks,reject

postconf -P '*/*/smtpd_relay_restrictions'
postconf: warning: unmatched request: "*/*/smtpd_relay_restrictions"

On Tue, Mar 8, 2016 at 2:00 AM, Wietse Venema <[hidden email]> wrote:

> Pau Peris:
>> Hi Wietse,
>>
>> Thanks a lot for you reply but  I already added those addresses seven
>> first configured Postfix but my restrictions require to authenticate wh3n
>> sending emails to end destinations which are not local host.
>
> According to this:
>
>  smtpd_relay_restrictions =
>                              permit_mynetworks,
>                              permit_sasl_authenticated,
>                              reject_unauth_destination
>
> you intend to allow relaying from clients that match mynetworks.
>
> However, cut-and-paste from main.cf does not really tell you how
> Postfix is configured. Instead,let Postfix tell you:
>
> postconf mynetworks smtpd_recipient_restrictions smtpd_relay_restrictions
> postconf -P '*/*/smtpd_recipient_restrictions' '*/*/smtpd_relay_restrictions'
>
>         Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Wietse Venema
Pau Peris:

> Hi Wietse,
>
> thank again for your help. Here goes the info, it looks good but
> obviously it isn't as long as vacation.pl keeps getting (554 5.7.1 :
> Relay access denied).
>
> postconf mynetworks smtpd_recipient_restrictions smtpd_relay_restrictions
> mynetworks = 127.0.0.1/32 91.121.120.208/32 [::1]/128
> [2001:41d0:1:afd0::1]/128 [fe80::4e72:b9ff:feb1:a60e]/128
> smtpd_recipient_restrictions = reject_unauth_pipelining,
> reject_non_fqdn_recipient, reject_unknown_recipient_domain,
> permit_sasl_authenticated, check_policy_service
> unix:private/policy-spf, reject_unauth_destination,
> check_policy_service inet:127.0.0.1:10023, ,permit

You have reject_unauth_destination but nothing that permits mail
from localhost.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Pau Peris
Hi Wietse,

as i stated in the first message this is why postfix is rejecting,
right? I mean, i've setted reject_unauth_destination and here i'm
trying to send an email to someone who's mail isn't managed by me and
so my postfix mta isn't the final destination, is it right?

So if i'm right i'm not looking for an error in postfix configuration
but the best appropriate way to setup an autoreply/vacation service.
As far as i know the ideal would be to use as from address the
recipient of the genuine email was sent to but as i'm forced to
authenticate to send an email and i can't use the user's email address
password i have to think about another way to go.

I was thinking on creating a specific email address for autoreply
messages but i don't feel it's that nice because the from would be
something like [hidden email].

Could you give me your point of view about what would be the proper way to go?

Thanks,

On Tue, Mar 8, 2016 at 12:25 PM, Wietse Venema <[hidden email]> wrote:

> Pau Peris:
>> Hi Wietse,
>>
>> thank again for your help. Here goes the info, it looks good but
>> obviously it isn't as long as vacation.pl keeps getting (554 5.7.1 :
>> Relay access denied).
>>
>> postconf mynetworks smtpd_recipient_restrictions smtpd_relay_restrictions
>> mynetworks = 127.0.0.1/32 91.121.120.208/32 [::1]/128
>> [2001:41d0:1:afd0::1]/128 [fe80::4e72:b9ff:feb1:a60e]/128
>> smtpd_recipient_restrictions = reject_unauth_pipelining,
>> reject_non_fqdn_recipient, reject_unknown_recipient_domain,
>> permit_sasl_authenticated, check_policy_service
>> unix:private/policy-spf, reject_unauth_destination,
>> check_policy_service inet:127.0.0.1:10023, ,permit
>
> You have reject_unauth_destination but nothing that permits mail
> from localhost.
>
>         Wietse



--
Pau Peris Rodriguez
Chief Executive Officer (CEO)
Tel: 669650292
C/Balmes 211, Principal Segunda
Barcelona 08006
http://www.webeloping.es

Aquest correu electrònic conté informació de caràcter confidencial
dirigida exclusivament al seu/s destinatari/s en còpia present. Tant
mateix, queda prohibida la seva divulgació, copia o distribució a
tercers sense prèvia autorització escrita per part de Pau Peris
Rodriguez. En cas d'haver rebut aquesta informació per error, es
demana que es notifiqui immediatament d'aquesta circumstancia
mitjançant la direcció electrònica del emissor.
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Wietse Venema
Pau Peris:
> Hi Wietse,
>
> as i stated in the first message this is why postfix is rejecting,
> right?

Yes. I suppose this is not what you want. The choices are
- add permit_mynetworks in smtpd_recipient_restrictions
- add SASL authentication to the Perl script (which is outside
  the help that I can provide).
- submit autoreplies with /usr/sbin/sendmail instead of SMTP.
- something else.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Pau Peris
Hi Wietse,

thanks a lot for the list of ways to go.

I'm worried about the security risks of adding adding
permit_mynetworks to smtpd_recipient_restrictions What do you think
about this? Would you see it as a security flaw?

I could easily modify de perl script to provide authentication against
Postfix but this way would force me to create a user/password for
managing autoreply emails.

If i'd go by the third option, sending through sendmail instead of
SMTP, i would loose the headers automatically set by Postfix.

I'm about to take option 2, what do you think between options 1 and 2?

Thanks agian!

On Tue, Mar 8, 2016 at 3:18 PM, Wietse Venema <[hidden email]> wrote:

> Pau Peris:
>> Hi Wietse,
>>
>> as i stated in the first message this is why postfix is rejecting,
>> right?
>
> Yes. I suppose this is not what you want. The choices are
> - add permit_mynetworks in smtpd_recipient_restrictions
> - add SASL authentication to the Perl script (which is outside
>   the help that I can provide).
> - submit autoreplies with /usr/sbin/sendmail instead of SMTP.
> - something else.
>
>         Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Wietse Venema
Pau Peris:
> If i'd go by the third option, sending through sendmail instead of
> SMTP, i would loose the headers automatically set by Postfix.

Where did you get that idea from?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Pau Peris
I'm sorry, i think i completely missunderstood option 3. I thought
using sendmail would bypass Postfix completely. I assume this is wrong
and it will still make use of Postfix mta? So it makes no difference
on using sendmail or SMTP at "application/programming language" level?

Thanks!

On Tue, Mar 8, 2016 at 5:26 PM, Wietse Venema <[hidden email]> wrote:
> Pau Peris:
>> If i'd go by the third option, sending through sendmail instead of
>> SMTP, i would loose the headers automatically set by Postfix.
>
> Where did you get that idea from?
>
>         Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Wietse Venema
The third option was:
- submit autoreplies with /usr/sbin/sendmail instead of SMTP.

Pau Peris:
> If i'd go by the third option, sending through sendmail instead of
> SMTP, i would loose the headers automatically set by Postfix.

Wietse:
> Where did you get that idea from?

Pau Peris:
> I'm sorry, i think i completely missunderstood option 3. I thought
> using sendmail would bypass Postfix completely. I assume this is wrong
> and it will still make use of Postfix mta? So it makes no difference
> on using sendmail or SMTP at "application/programming language" level?

/usr/sbin/sendmail should be part of Postfix, or at least a symlink
that points to some part of Postfix.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Pau Peris
Ok, thanks!!

On Tue, Mar 8, 2016 at 8:36 PM, Wietse Venema <[hidden email]> wrote:

> The third option was:
> - submit autoreplies with /usr/sbin/sendmail instead of SMTP.
>
> Pau Peris:
>> If i'd go by the third option, sending through sendmail instead of
>> SMTP, i would loose the headers automatically set by Postfix.
>
> Wietse:
>> Where did you get that idea from?
>
> Pau Peris:
>> I'm sorry, i think i completely missunderstood option 3. I thought
>> using sendmail would bypass Postfix completely. I assume this is wrong
>> and it will still make use of Postfix mta? So it makes no difference
>> on using sendmail or SMTP at "application/programming language" level?
>
> /usr/sbin/sendmail should be part of Postfix, or at least a symlink
> that points to some part of Postfix.
>
>         Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Pau Peris
Hello again,

as i didn't work on Postfix over the last year i've been digging
around the config and the manuals at postfix.org before choosing any
of the previously exposed options.

By now, i was trying to go for option two so i created a specific user
for each of the domain managed by Postfix mta. The idea is to let the
vacation script to make use of this user to authenticate against
Postfix while trying to send the vacation email. As this Postfix
instance manages multiple domains i've updated the script so it uses
the appropriate user to authenticate against Postfix depending on the
recipient's domain. Ie, recipient [hidden email] has vacation mode
on, then the vacation script tries t login against Postfix through
[hidden email] but if [hidden email] has vacation mode on then
vacation script would try to login against Postfix as
[hidden email].

While previous behaviour works fine i'm having issues exposing
[hidden email] as owner of the recipient address. I mean, my
Postfix instance has enforce
reject_authenticated_sender_login_mismatch
 as smtpd_sender_restrictions so i created so i've added the following
statement smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf which implements
the following query:
SELECT
IF( STRCMP('%s',CONCAT_WS('@','vacation', '%d') )=0,
CONCAT_WS( ',','vacation@%d', CONCAT_WS( ',','%s', GROUP_CONCAT(a.mail
SEPARATOR ',') ) ),
CONCAT_WS(',','%s', GROUP_CONCAT(a.mail SEPARATOR ', ') )
)AS id
FROM `users` AS u
LEFT JOIN `aliases` AS a
ON LOCATE( u.id, a.destination ) AND a.enabled IS TRUE
WHERE u.id = '%s'
AND u.enabled IS TRUE
GROUP BY u.id

As you can see this query searches %s in users table, also searches %s
in aliases table so if %s matches destination inside aliases then %s
will be granted to send emails on behalf aliases.mail (from email
address). Last, this query tries to know if vacation user tries to
send an email, if so then it will always get granted as owner.
Although the SQL sentence works fine, i need in the SQL sentence the
user used to authenticate against Postfix. So my questions are:
* Is it possible to pass as parameter or whatever the user used to
authenticate against Postfix? Which will not always match the from
email address. I would like to know if vacation user was the one who
tried to send the email, if so i will always grant sending on behalf
someone else.
*Is it possible to authenticate against Postfix through the crypted
password? I mean, once i know the from address, vacation script can
login into MySQL, get his crypted password and then try to
authenticate through a custom SQL query or whatever using this crypted
password and finally try to send the email. This way
reject_authenticated_sender_login_mismatch won't jump.

Last option is to send the email through the sendmail binary but i
would like to be able to use the authenticate behaviour. If someone
knows a better way to authenticate just let me know.

Hope someone can help to solve this doubts.

Sincerely,

On Wed, Mar 9, 2016 at 1:37 PM, Pau Peris <[hidden email]> wrote:

> Ok, thanks!!
>
> On Tue, Mar 8, 2016 at 8:36 PM, Wietse Venema <[hidden email]> wrote:
>> The third option was:
>> - submit autoreplies with /usr/sbin/sendmail instead of SMTP.
>>
>> Pau Peris:
>>> If i'd go by the third option, sending through sendmail instead of
>>> SMTP, i would loose the headers automatically set by Postfix.
>>
>> Wietse:
>>> Where did you get that idea from?
>>
>> Pau Peris:
>>> I'm sorry, i think i completely missunderstood option 3. I thought
>>> using sendmail would bypass Postfix completely. I assume this is wrong
>>> and it will still make use of Postfix mta? So it makes no difference
>>> on using sendmail or SMTP at "application/programming language" level?
>>
>> /usr/sbin/sendmail should be part of Postfix, or at least a symlink
>> that points to some part of Postfix.
>>
>> Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Pau Peris
Hi,

do someone know if it's possible to:

* Pass as parameter to smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf so i can use this
parameter inside the query?

*Authenticate against Postfix through the crypted password? I mean, if
know a cryped password and it semail address, can i try to login
through any kind of service/process?

Thanks!

On Thu, Mar 17, 2016 at 7:46 PM, Pau Peris <[hidden email]> wrote:

> Hello again,
>
> as i didn't work on Postfix over the last year i've been digging
> around the config and the manuals at postfix.org before choosing any
> of the previously exposed options.
>
> By now, i was trying to go for option two so i created a specific user
> for each of the domain managed by Postfix mta. The idea is to let the
> vacation script to make use of this user to authenticate against
> Postfix while trying to send the vacation email. As this Postfix
> instance manages multiple domains i've updated the script so it uses
> the appropriate user to authenticate against Postfix depending on the
> recipient's domain. Ie, recipient [hidden email] has vacation mode
> on, then the vacation script tries t login against Postfix through
> [hidden email] but if [hidden email] has vacation mode on then
> vacation script would try to login against Postfix as
> [hidden email].
>
> While previous behaviour works fine i'm having issues exposing
> [hidden email] as owner of the recipient address. I mean, my
> Postfix instance has enforce
> reject_authenticated_sender_login_mismatch
>  as smtpd_sender_restrictions so i created so i've added the following
> statement smtpd_sender_login_maps =
> proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf which implements
> the following query:
> SELECT
> IF( STRCMP('%s',CONCAT_WS('@','vacation', '%d') )=0,
> CONCAT_WS( ',','vacation@%d', CONCAT_WS( ',','%s', GROUP_CONCAT(a.mail
> SEPARATOR ',') ) ),
> CONCAT_WS(',','%s', GROUP_CONCAT(a.mail SEPARATOR ', ') )
> )AS id
> FROM `users` AS u
> LEFT JOIN `aliases` AS a
> ON LOCATE( u.id, a.destination ) AND a.enabled IS TRUE
> WHERE u.id = '%s'
> AND u.enabled IS TRUE
> GROUP BY u.id
>
> As you can see this query searches %s in users table, also searches %s
> in aliases table so if %s matches destination inside aliases then %s
> will be granted to send emails on behalf aliases.mail (from email
> address). Last, this query tries to know if vacation user tries to
> send an email, if so then it will always get granted as owner.
> Although the SQL sentence works fine, i need in the SQL sentence the
> user used to authenticate against Postfix. So my questions are:
> * Is it possible to pass as parameter or whatever the user used to
> authenticate against Postfix? Which will not always match the from
> email address. I would like to know if vacation user was the one who
> tried to send the email, if so i will always grant sending on behalf
> someone else.
> *Is it possible to authenticate against Postfix through the crypted
> password? I mean, once i know the from address, vacation script can
> login into MySQL, get his crypted password and then try to
> authenticate through a custom SQL query or whatever using this crypted
> password and finally try to send the email. This way
> reject_authenticated_sender_login_mismatch won't jump.
>
> Last option is to send the email through the sendmail binary but i
> would like to be able to use the authenticate behaviour. If someone
> knows a better way to authenticate just let me know.
>
> Hope someone can help to solve this doubts.
>
> Sincerely,
>
> On Wed, Mar 9, 2016 at 1:37 PM, Pau Peris <[hidden email]> wrote:
>> Ok, thanks!!
>>
>> On Tue, Mar 8, 2016 at 8:36 PM, Wietse Venema <[hidden email]> wrote:
>>> The third option was:
>>> - submit autoreplies with /usr/sbin/sendmail instead of SMTP.
>>>
>>> Pau Peris:
>>>> If i'd go by the third option, sending through sendmail instead of
>>>> SMTP, i would loose the headers automatically set by Postfix.
>>>
>>> Wietse:
>>>> Where did you get that idea from?
>>>
>>> Pau Peris:
>>>> I'm sorry, i think i completely missunderstood option 3. I thought
>>>> using sendmail would bypass Postfix completely. I assume this is wrong
>>>> and it will still make use of Postfix mta? So it makes no difference
>>>> on using sendmail or SMTP at "application/programming language" level?
>>>
>>> /usr/sbin/sendmail should be part of Postfix, or at least a symlink
>>> that points to some part of Postfix.
>>>
>>> Wietse



--
Pau Peris Rodriguez
Chief Executive Officer (CEO)
Tel: 669650292
C/Balmes 211, Principal Segunda
Barcelona 08006
http://www.webeloping.es

Aquest correu electrònic conté informació de caràcter confidencial
dirigida exclusivament al seu/s destinatari/s en còpia present. Tant
mateix, queda prohibida la seva divulgació, copia o distribució a
tercers sense prèvia autorització escrita per part de Pau Peris
Rodriguez. En cas d'haver rebut aquesta informació per error, es
demana que es notifiqui immediatament d'aquesta circumstancia
mitjançant la direcció electrònica del emissor.
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Wietse Venema
Pau Peris:
> Hi,
>
> do someone know if it's possible to:
>
> * Pass as parameter to smtpd_sender_login_maps =
> proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf so i can use this
> parameter inside the query?

The Postfix SMTP server makes the following queries and stops at
the first match.

       1) user@domain (complete sender address)
       2) user
       3) @domain

The lookup result is a list of SASL login names.

http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

> *Authenticate against Postfix through the crypted password? I mean, if

The Postfix SMTP server will not search smtpd_sender_login_maps
when the client is not authenticated.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Pau Peris
Hi Wietse,

thanks a lot for the reply.

I undestand how sender login maps work as i implemented this feature
about 2 years ago and it looks to be working without issues.

By your reply should i assume it's not possible to pass extra
paramaters to the SQL query sentence?

Also, i suppose there's no way to authenticate against Postfix through
the crypted password. By the way, i use pam to get to the SQL backend.

Sthanks again,

On Sat, Mar 19, 2016 at 3:28 PM, Wietse Venema <[hidden email]> wrote:

> Pau Peris:
>> Hi,
>>
>> do someone know if it's possible to:
>>
>> * Pass as parameter to smtpd_sender_login_maps =
>> proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf so i can use this
>> parameter inside the query?
>
> The Postfix SMTP server makes the following queries and stops at
> the first match.
>
>        1) user@domain (complete sender address)
>        2) user
>        3) @domain
>
> The lookup result is a list of SASL login names.
>
> http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
>
>> *Authenticate against Postfix through the crypted password? I mean, if
>
> The Postfix SMTP server will not search smtpd_sender_login_maps
> when the client is not authenticated.
>
>         Wietse



--
Pau Peris Rodriguez
Chief Executive Officer (CEO)
Tel: 669650292
C/Balmes 211, Principal Segunda
Barcelona 08006
http://www.webeloping.es

Aquest correu electrònic conté informació de caràcter confidencial
dirigida exclusivament al seu/s destinatari/s en còpia present. Tant
mateix, queda prohibida la seva divulgació, copia o distribució a
tercers sense prèvia autorització escrita per part de Pau Peris
Rodriguez. En cas d'haver rebut aquesta informació per error, es
demana que es notifiqui immediatament d'aquesta circumstancia
mitjançant la direcció electrònica del emissor.
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Wietse Venema
Pau Peris:
> By your reply should i assume it's not possible to pass extra
> paramaters to the SQL query sentence?

The Postfix SMTP smtpd_sender_login_maps feature makes the following
queries:

    1) user@domain (complete sender address)
    2) user
    3) @domain

Those Postfix queries contain no SQL parameters.

You may add SQL parameters in the mysql_sender_login_maps.cf file,
but those parameters will be the same for every query.

> Also, i suppose there's no way to authenticate against Postfix through
> the crypted password. By the way, i use pam to get to the SQL backend.

That depends on the SASL authentication mechanism. Postfix does not
authenticate clients, it is only a proxy between the client and the
SASL library (or Dovecot).

Coming back to the original question, why would you ever need SASL
for an autoresponder?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Right way to force autresponder script to authenticate against postfix

Pau Peris
Hi Wietse,

thanks a lot for your replies.

I've integrated a custom vacation script (similar to the famous
vacation.pl which comes with postfixadmin). So users can enable
vacation/atoreply in roundcube for example, once they check
vacation/autoreply an new alias is created inside aliases with a
special domain suffix so when postfix tries to send emails to users a
this "special domain suffix" then a new transport is used which
finally triggers this custom vacation.pl script.

The thing is i enabled reject_authenticated_sender_login_mismatch so
the script needs to authenticate using the credentials as the
recipient as the user logged into Postfix needs to match the from
header in the email. So the options are the ones you exposed above:
Send autoreply emails through sendmail binary.
Login using the same credentials as the from headers.
Or login with some autoreply user and use these account in the from headers.

By now i was looking for a way to send email using as credentials the
ones in the from headers.

On Mon, Mar 21, 2016 at 4:30 PM, Wietse Venema <[hidden email]> wrote:

> Pau Peris:
>> By your reply should i assume it's not possible to pass extra
>> paramaters to the SQL query sentence?
>
> The Postfix SMTP smtpd_sender_login_maps feature makes the following
> queries:
>
>     1) user@domain (complete sender address)
>     2) user
>     3) @domain
>
> Those Postfix queries contain no SQL parameters.
>
> You may add SQL parameters in the mysql_sender_login_maps.cf file,
> but those parameters will be the same for every query.
>
>> Also, i suppose there's no way to authenticate against Postfix through
>> the crypted password. By the way, i use pam to get to the SQL backend.
>
> That depends on the SASL authentication mechanism. Postfix does not
> authenticate clients, it is only a proxy between the client and the
> SASL library (or Dovecot).
>
> Coming back to the original question, why would you ever need SASL
> for an autoresponder?
>
>         Wietse



--
Pau Peris Rodriguez
Chief Executive Officer (CEO)
Tel: 669650292
C/Balmes 211, Principal Segunda
Barcelona 08006
http://www.webeloping.es

Aquest correu electrònic conté informació de caràcter confidencial
dirigida exclusivament al seu/s destinatari/s en còpia present. Tant
mateix, queda prohibida la seva divulgació, copia o distribució a
tercers sense prèvia autorització escrita per part de Pau Peris
Rodriguez. En cas d'haver rebut aquesta informació per error, es
demana que es notifiqui immediatament d'aquesta circumstancia
mitjançant la direcció electrònica del emissor.