connection between relays

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

connection between relays

Héctor Moreno Blanco

Hello everyone,

 

We have our mail relays. In these relays we check the users aliases in our LDAP.

 

Furthermore, we want other servers to relay on our sides authenticating with a fix user with sasl_password, but I can’t make this work.

 

This is our config, postconf -n:

 

alias_database = hash:/etc/postfix/aliases

alias_maps = hash:/etc/postfix/aliases

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5

disable_vrfy_command = yes

html_directory = /usr/share/doc/postfix-2.2.8-documentation/html

inet_protocols = ipv4

local_recipient_maps = ldap:/etc/postfix/validUser.cf $alias_maps

local_transport = smtp:[192.168.100.203]:25

mail_owner = postfix

mailbox_size_limit = 0

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

matchlogin_bind = yes

matchlogin_bind_dn = cn=mailuser,dc=domain,dc=es

matchlogin_bind_pw = **********

matchlogin_query_filter = (|(mail=%s)(mailAlternateAddress=%s))

matchlogin_result_attribute = uid

matchlogin_scope = sub

matchlogin_search_base = idnc=usuarios,dc=domain,dc=es

matchlogin_server_host = ldaps://virt_ldap

matchlogin_server_port = 636

matchlogin_timeout = 10

matchlogin_version = 3

maximal_queue_lifetime = 5d

message_size_limit = 30000000

mydestination = /etc/postfix/dominiosMigrados

mydomain = my.domain.es

myhostname = relay.domain.es

mynetworks = 127.0.0.0/8

mynetworks_style = subnet

myorigin = relay.domain.es

newaliases_path = /usr/bin/newaliases.postfix

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.2.8-documentation/readme

recipient_canonical_maps = hash:/etc/postfix/recipient_canonical

relayhost = [192.168.100.212]

sample_directory = /etc/postfix

sender_canonical_maps = hash:/etc/postfix/sender_canonical

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

smtp_tls_loglevel = 1

smtp_tls_security_level = may

smtpd_banner = relay.domain.es ESMTP DOMAIN Mail Server

smtpd_client_restrictions = check_client_access hash:/etc/postfix/emisores-prohibidos

smtpd_delay_reject = yes

smtpd_helo_required = yes

smtpd_recipient_limit = 100

smtpd_recipient_overshoot_limit = 100

smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unauth_destination

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain =

smtpd_sasl_security_options = noanonymous

smtpd_sender_login_maps = ldap:matchlogin

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/emisores-prohibidos

smtpd_timeout = 300s

smtpd_tls_CAfile = /var/SGI/certificados/certificados2012/TERENASSLCA.crt

smtpd_tls_cert_file = /var/SGI/certificados/certificados2012/certificate.crt

smtpd_tls_key_file = /var/SGI/certificados/certificados2012/certificate_nopass.pem

smtpd_use_tls = yes

tls_random_source = dev:/dev/urandom

transport_maps = ldap:/etc/postfix/ldapListasTransport.cf, ldap:/etc/postfix/ldapUsuariosLocalesTransport.cf, hash:/etc/postfix/transport

unknown_local_recipient_reject_code = 550

 

 

In the other servers accessing to ours, is similar but relaying to our server.

We created the sasl_password file with this:

 

192.168.13.19    user:password

 

And in the main.cf:

 

smtpd_sasl_auth_enable = yes

#smtpd_sasl_application_name = smtpd

smtpd_sasl_security_options = noanonymous

smtpd_sasl_password_maps = hash:/etc/postfix/sasl-passwords

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

 

In our servers it keeps showing this error:

 

Dec 17 16:54:45 relay postfix/smtpd[19444]: NOQUEUE: reject: RCPT from unknown[192.168.13.50]: 553 5.7.1 <[hidden email]>: Sender address rejected: not logged in; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<estafeta2.relay.es>

 

Which is normal, because it can’t check the users identity.

 

Is there anything I’m missing in order to communicate between our servers?

 

Thank you very much in advanced.

Kind regards.

 

Héctor Moreno Blanco.


P Please consider the environment before printing this e-mail.


This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it.
Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener información clasificada por su emisor como confidencial en el marco de su Sistema de Gestión de Seguridad de la Información siendo para uso exclusivo del destinatario, quedando prohibida su divulgación copia o distribución a terceros sin la autorización expresa del remitente. Si Vd. ha recibido este mensaje erróneamente, se ruega lo notifique al remitente y proceda a su borrado.
Gracias por su colaboración.
Esta mensagem, incluindo qualquer ficheiro anexo, pode conter informação confidencial, de acordo com nosso Sistema de Gestão de Segurança da Informação, sendo para uso exclusivo do destinatário e estando proibida a sua divulgação, cópia ou distribuição a terceiros sem autorização expressa do remetente da mesma. Se recebeu esta mensagem por engano, por favor avise de imediato o remetente e apague-a.
Obrigado pela sua colaboração.

Reply | Threaded
Open this post in threaded view
|

Re: connection between relays

Wietse Venema
H?ctor Moreno Blanco:

> We have our mail relays. In these relays we check the users aliases
> in our LDAP.
>
> Furthermore, we want other servers to relay on our sides authenticating
> with a fix user with sasl_password, but I can't make this work.
>
> smtpd_sender_login_maps = ldap:matchlogin
> smtpd_recipient_restrictions = reject_unauth_pipelining,
> reject_non_fqdn_sender, reject_non_fqdn_recipient,
> reject_unknown_sender_domain, reject_unknown_recipient_domain,
> permit_mynetworks, reject_sender_login_mismatch,
> permit_sasl_authenticated, reject_unauth_destination
...
> Dec 17 16:54:45 relay postfix/smtpd[19444]: NOQUEUE: reject: RCPT from unknown[192.168.13.50]: 553 5.7.1 <[hidden email]>: Sender address rejected: not logged in; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<estafeta2.relay.es>
>
> Which is normal, because it can't check the users identity.
>
> Is there anything I'm missing in order to communicate between our servers?

Don't use reject_sender_login_mismatch for mail from a trusted relay
host.

smtpd_recipient_restrictions = reject_unauth_pipelining,
       reject_non_fqdn_sender, reject_non_fqdn_recipient,
       reject_unknown_sender_domain, reject_unknown_recipient_domain,
       permit_mynetworks, reject_sender_login_mismatch,
       permit_sasl_authenticated, reject_unauth_destination

Add the trusted relay hosts (or better, their network range) to
main.cf:mynetworks.

        Wietse
Reply | Threaded
Open this post in threaded view
|

RE: connection between relays

Héctor Moreno Blanco
>H?ctor Moreno Blanco:
>> We have our mail relays. In these relays we check the users aliases in
>> our LDAP.
>>
>> Furthermore, we want other servers to relay on our sides
>> authenticating with a fix user with sasl_password, but I can't make this work.
>>
>> smtpd_sender_login_maps = ldap:matchlogin
>>smtpd_recipient_restrictions = reject_unauth_pipelining,
>>      reject_non_fqdn_sender, reject_non_fqdn_recipient,
>>      reject_unknown_sender_domain, reject_unknown_recipient_domain,
>>      permit_mynetworks, reject_sender_login_mismatch,
>>      permit_sasl_authenticated, reject_unauth_destination
>...
>> Dec 17 16:54:45 relay postfix/smtpd[19444]: NOQUEUE: reject: RCPT from
>> unknown[192.168.13.50]: 553 5.7.1 <[hidden email]>: Sender address
>>> rejected: not logged in; from=<[hidden email]>
>> to=<[hidden email]> proto=ESMTP helo=<estafeta2.relay.es>
>>
>> Which is normal, because it can't check the users identity.
>>
>> Is there anything I'm missing in order to communicate between our servers?
>
> Don't use reject_sender_login_mismatch for mail from a trusted relay host.
>
> smtpd_recipient_restrictions = reject_unauth_pipelining,
>       reject_non_fqdn_sender, reject_non_fqdn_recipient,
>       reject_unknown_sender_domain, reject_unknown_recipient_domain,
>       permit_mynetworks, reject_sender_login_mismatch,
>       permit_sasl_authenticated, reject_unauth_destination
>
> Add the trusted relay hosts (or better, their network range) to main.cf:mynetworks.
>
>       Wietse

Hello Wietse,

Is it possible to do this connection between relays with certificates?

Thank you very much in advanced.
Kind regards.

Héctor Moreno Blanco.

P Please consider the environment before printing this e-mail.

______________________
This message including any attachments may contain confidential
information, according to our Information Security Management System,
 and intended solely for a specific individual to whom they are addressed.
 Any unauthorised copy, disclosure or distribution of this message
 is strictly forbidden. If you have received this transmission in error,
 please notify the sender immediately and delete it.

______________________
Este mensaje, y en su caso, cualquier fichero anexo al mismo,
 puede contener informacion clasificada por su emisor como confidencial
 en el marco de su Sistema de Gestion de Seguridad de la
Informacion siendo para uso exclusivo del destinatario, quedando
prohibida su divulgacion copia o distribucion a terceros sin la
autorizacion expresa del remitente. Si Vd. ha recibido este mensaje
 erroneamente, se ruega lo notifique al remitente y proceda a su borrado.
Gracias por su colaboracion.

______________________

Reply | Threaded
Open this post in threaded view
|

Re: connection between relays

Noel Jones-2
On 2/3/2014 5:29 AM, Héctor Moreno Blanco wrote:

>> H?ctor Moreno Blanco:
>>> We have our mail relays. In these relays we check the users aliases in
>>> our LDAP.
>>>
>>> Furthermore, we want other servers to relay on our sides
>>> authenticating with a fix user with sasl_password, but I can't make this work.
>>>
>>> smtpd_sender_login_maps = ldap:matchlogin
>>> smtpd_recipient_restrictions = reject_unauth_pipelining,
>>>      reject_non_fqdn_sender, reject_non_fqdn_recipient,
>>>      reject_unknown_sender_domain, reject_unknown_recipient_domain,
>>>      permit_mynetworks, reject_sender_login_mismatch,
>>>      permit_sasl_authenticated, reject_unauth_destination
>> ...
>>> Dec 17 16:54:45 relay postfix/smtpd[19444]: NOQUEUE: reject: RCPT from
>>> unknown[192.168.13.50]: 553 5.7.1 <[hidden email]>: Sender address
>>>> rejected: not logged in; from=<[hidden email]>
>>> to=<[hidden email]> proto=ESMTP helo=<estafeta2.relay.es>
>>>
>>> Which is normal, because it can't check the users identity.
>>>
>>> Is there anything I'm missing in order to communicate between our servers?
>>
>> Don't use reject_sender_login_mismatch for mail from a trusted relay host.
>>
>> smtpd_recipient_restrictions = reject_unauth_pipelining,
>>       reject_non_fqdn_sender, reject_non_fqdn_recipient,
>>       reject_unknown_sender_domain, reject_unknown_recipient_domain,
>>       permit_mynetworks, reject_sender_login_mismatch,
>>       permit_sasl_authenticated, reject_unauth_destination
>>
>> Add the trusted relay hosts (or better, their network range) to main.cf:mynetworks.
>>
>>       Wietse
>
> Hello Wietse,
>
> Is it possible to do this connection between relays with certificates?


Yes, you can use certificates to control access.  Please see:
http://www.postfix.org/TLS_README.html#server_access



  -- Noel Jones