ignore SASL/Auth to specific server (internal exchange relay)

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

ignore SASL/Auth to specific server (internal exchange relay)

Stefan Bauer-2
Hi,

we receive mails from $world and forward them to internal exchange server.

Exchange is offering STARTTLS and AUTH

root@gate01:~# telnet 192.168.124.5 2525
Trying 192.168.124.5...
Connected to 192.168.124.5.
Escape character is '^]'.
220 ex01 Microsoft ESMTP MAIL Service ready at Tue, 11 Dec 2018 19:07:13 +0100
250-gate01 Hello [192.168.124.251]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOWREQUEST

Postfix gets ... during address verification.

Dec 11 19:27:18 postgate01 postfix/postscreen[583]: DISCONNECT [client]:57636
Dec 11 19:27:18 postgate01 postfix/smtp[574]: 5586D101077: to=<[hidden email]>, relay=192.168.124.5[192.168.124.5]:2525, delay=11, delays=1/0.02/10/0, dsn=4.7.3, status=undeliverable (SASL authentication failed; server 192.168.124.5[192.168.124.5] said: 535 5.7.3 Authentication unsuccessful)

how can we ignore AUTH and STARTTLS and just go on?

telnet shows the dialog i expect:

outgoing mails get relayed through smarthost, so this is where all the client tls settings interfere i guess :/

Reply | Threaded
Open this post in threaded view
|

Re: ignore SASL/Auth to specific server (internal exchange relay)

Wietse Venema
Stefan Bauer:

> Hi,
>
> we receive mails from $world and forward them to internal exchange server.
>
> Exchange is offering STARTTLS and AUTH
>
> root@gate01:~# telnet 192.168.124.5 2525
> Trying 192.168.124.5...
> Connected to 192.168.124.5.
> Escape character is '^]'.
> Dec 11 19:27:18 postgate01 postfix/postscreen[583]: DISCONNECT
> [client]:57636
> Dec 11 19:27:18 postgate01 postfix/smtp[574]: 5586D101077: to=<
> [hidden email]>, relay=192.168.124.5[192.168.124.5]:2525, delay=11,
> delays=1/0.02/10/0, dsn=4.7.3, status=undeliverable (SASL authentication
> failed; server 192.168.124.5[192.168.124.5] said: 535 5.7.3 Authentication
> unsuccessful)
>
> how can we ignore AUTH and STARTTLS and just go on?

If you don't want Postfix to send AUTH to this server,
then do not configure Postfix to send AUTH to this server.

        Woeyse
Reply | Threaded
Open this post in threaded view
|

Re: ignore SASL/Auth to specific server (internal exchange relay)

Stefan Bauer-2
I dont see  a way to have AUTH&TLS to all of our relayhosts but not for this internal hosts.

sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_maps
smtp_sender_dependent_authentication = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
smtp_sasl_auth_enable = yes
smtp_tls_security_level = may
smtp_sasl_security_options = noanonymous

root@postgate01:/etc/postfix# more relayhost_maps
@domain1.de [securerelay.tld]:25
@domain2.de [securerelay.tld]:25


root@postgate01:/etc/postfix# more transport

So howto not use AUTH&TLS at all to 192.168.124.5:2525 ?


Am Di., 11. Dez. 2018 um 20:32 Uhr schrieb Wietse Venema <[hidden email]>:
Stefan Bauer:
> Hi,
>
> we receive mails from $world and forward them to internal exchange server.
>
> Exchange is offering STARTTLS and AUTH
>
> root@gate01:~# telnet 192.168.124.5 2525
> Trying 192.168.124.5...
> Connected to 192.168.124.5.
> Escape character is '^]'.
> Dec 11 19:27:18 postgate01 postfix/postscreen[583]: DISCONNECT
> [client]:57636
> Dec 11 19:27:18 postgate01 postfix/smtp[574]: 5586D101077: to=<
> [hidden email]>, relay=192.168.124.5[192.168.124.5]:2525, delay=11,
> delays=1/0.02/10/0, dsn=4.7.3, status=undeliverable (SASL authentication
> failed; server 192.168.124.5[192.168.124.5] said: 535 5.7.3 Authentication
> unsuccessful)
>
> how can we ignore AUTH and STARTTLS and just go on?

If you don't want Postfix to send AUTH to this server,
then do not configure Postfix to send AUTH to this server.

        Woeyse
Reply | Threaded
Open this post in threaded view
|

Re: ignore SASL/Auth to specific server (internal exchange relay)

Viktor Dukhovni
To use host-specific rather than sender-dependent authentication,
you'll need a separate transport for the relay(s) in question,
with "smtp_sender_dependent_authentication = no" for that
transport.

> On Dec 11, 2018, at 2:37 PM, Stefan Bauer <[hidden email]> wrote:
>
> I dont see  a way to have AUTH&TLS to all of our relayhosts but not for this internal hosts.
>
> sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_maps
> smtp_sender_dependent_authentication = yes
> smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
> smtp_sasl_auth_enable = yes
> smtp_tls_security_level = may
> smtp_sasl_security_options = noanonymous
>
> root@postgate01:/etc/postfix# more relayhost_maps
> @domain1.de [securerelay.tld]:25
> @domain2.de [securerelay.tld]:25
>

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: ignore SASL/Auth to specific server (internal exchange relay)

Stefan Bauer-2
Can you recommend appropriate manual(s)? I dont understand what you mean with separate transport.




Am Di., 11. Dez. 2018 um 21:20 Uhr schrieb Viktor Dukhovni <[hidden email]>:
To use host-specific rather than sender-dependent authentication,
you'll need a separate transport for the relay(s) in question,
with "smtp_sender_dependent_authentication = no" for that
transport.

> On Dec 11, 2018, at 2:37 PM, Stefan Bauer <[hidden email]> wrote:
>
> I dont see  a way to have AUTH&TLS to all of our relayhosts but not for this internal hosts.
>
> sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_maps
> smtp_sender_dependent_authentication = yes
> smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
> smtp_sasl_auth_enable = yes
> smtp_tls_security_level = may
> smtp_sasl_security_options = noanonymous
>
> root@postgate01:/etc/postfix# more relayhost_maps
> @domain1.de   [securerelay.tld]:25
> @domain2.de   [securerelay.tld]:25
>

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: ignore SASL/Auth to specific server (internal exchange relay)

Viktor Dukhovni
> On Dec 11, 2018, at 3:41 PM, Stefan Bauer <[hidden email]> wrote:
>
> Can you recommend appropriate manual(s)? I dont understand what you mean with separate transport.

http://www.postfix.org/master.5.html
http://www.postfix.org/transport.5.html
http://www.postfix.org/ADDRESS_REWRITING_README.html
http://www.postfix.org/FILTER_README.html#advanced_filter
  ( Advanced content filter: sending unfiltered mail to the content filter )

Also the Postfix book by Patrick Koetter and Ralf Hildebrandt.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: ignore SASL/Auth to specific server (internal exchange relay)

Stefan Bauer-2
thank you for your help!

If i understood you correctly, i set in transport:

domain1.de                exchange:


exchange  unix -       -       n       -       -       smtp
 -o smtp_sender_dependent_authentication=no
 -o transport_maps=hash:/etc/postfix/transport_internal

And in transport_internal

domain1.de            smtp:192.168.124.5:2525

but this way, postfix is doing a MX-lookup for domain1.de and not honoring transport_internal as it seems.

Is this basically the right path?


Am Di., 11. Dez. 2018 um 21:48 Uhr schrieb Viktor Dukhovni <[hidden email]>:
> On Dec 11, 2018, at 3:41 PM, Stefan Bauer <[hidden email]> wrote:
>
> Can you recommend appropriate manual(s)? I dont understand what you mean with separate transport.

http://www.postfix.org/master.5.html
http://www.postfix.org/transport.5.html
http://www.postfix.org/ADDRESS_REWRITING_README.html
http://www.postfix.org/FILTER_README.html#advanced_filter
  ( Advanced content filter: sending unfiltered mail to the content filter )

Also the Postfix book by Patrick Koetter and Ralf Hildebrandt.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: ignore SASL/Auth to specific server (internal exchange relay)

Wietse Venema
Stefan Bauer:

> thank you for your help!
>
> If i understood you correctly, i set in transport:
>
> domain1.de                exchange:
>
> In master.cf
>
> exchange  unix -       -       n       -       -       smtp
>  -o smtp_sender_dependent_authentication=no
>  -o transport_maps=hash:/etc/postfix/transport_internal
>
> And in transport_internal
>
> domain1.de            smtp:192.168.124.5:2525
>
> but this way, postfix is doing a MX-lookup for domain1.de and not honoring
> transport_internal as it seems.

Transport map lookups happen before choosing the SMTP client,
therefore you made a mistake updating the transport map.

Try:
postmap -q domain1.de hash:/path/to/transport

        Wietse

Reply | Threaded
Open this post in threaded view
|

Re: ignore SASL/Auth to specific server (internal exchange relay)

Viktor Dukhovni
In reply to this post by Stefan Bauer-2
> On Dec 11, 2018, at 4:40 PM, Stefan Bauer <[hidden email]> wrote:
>
> exchange  unix -       -       n       -       -       smtp
>  -o smtp_sender_dependent_authentication=no
>  -o transport_maps=hash:/etc/postfix/transport_internal

No the "transport_maps" setting goes in main.cf.  Transport
lookups are global.

See: http://www.postfix.org/OVERVIEW.html

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: ignore SASL/Auth to specific server (internal exchange relay)

Stefan Bauer-2
i already have a transport_maps in main.cf in place:
transport_maps=hash:/etc/postfix/transport

domain1.de                exchange:

How can i set another  transport_maps setting in main.cf as you recommend?

Am Mi., 12. Dez. 2018 um 00:29 Uhr schrieb Viktor Dukhovni <[hidden email]>:
> On Dec 11, 2018, at 4:40 PM, Stefan Bauer <[hidden email]> wrote:
>
> exchange  unix -       -       n       -       -       smtp
>  -o smtp_sender_dependent_authentication=no
>  -o transport_maps=hash:/etc/postfix/transport_internal

No the "transport_maps" setting goes in main.cf.  Transport
lookups are global.

See: http://www.postfix.org/OVERVIEW.html

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: ignore SASL/Auth to specific server (internal exchange relay)

Viktor Dukhovni
> On Dec 12, 2018, at 1:36 AM, Stefan Bauer <[hidden email]> wrote:
>
> i already have a transport_maps in main.cf in place:
> transport_maps=hash:/etc/postfix/transport
>
> domain1.de                exchange:
>
> How can i set another  transport_maps setting in main.cf as you recommend?

I never recommended "another transport_maps" definition, I recommended
a table *entry* that sends mail to the non-SASL relay via  a different
transport than mail to the relays that require SASL.  If you already
have that, then all you need to do is disable per-send SASL auth for
that transport.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: ignore SASL/Auth to specific server (internal exchange relay)

Daniel L. Miller
In reply to this post by Stefan Bauer-2

Not wanting to get in the way of the experts but this may help:

An oversimplified view of the transport map is it tells Postfix what line in master.cf to use for a given recipient domain (or full address).  There's only one transport map but it can have several lines for individual decisions.

Wietse's email told you to perform a command-line test to verify your transport map is setup correctly.  So do that first.

The definitions in master.cf tell Postfix where to listen and where to send the message.  So with an explicit transport mapping, using master.cf you provide explicit overrides to the defaults or global settings from main.cf.  So if the only "special" behavior you need for the exchange transport is no sasl:

exchange  unix -       -       n       -       -       smtp
 -o smtp_sender_dependent_authentication=no
Daniel

On 12/11/2018 1:40 PM, Stefan Bauer wrote:
thank you for your help!

If i understood you correctly, i set in transport:

domain1.de                exchange:


exchange  unix -       -       n       -       -       smtp
 -o smtp_sender_dependent_authentication=no
 -o transport_maps=hash:/etc/postfix/transport_internal

And in transport_internal

domain1.de            smtp:192.168.124.5:2525

but this way, postfix is doing a MX-lookup for domain1.de and not honoring transport_internal as it seems.

Is this basically the right path?


Am Di., 11. Dez. 2018 um 21:48 Uhr schrieb Viktor Dukhovni <[hidden email]>:
> On Dec 11, 2018, at 3:41 PM, Stefan Bauer <[hidden email]> wrote:
>
> Can you recommend appropriate manual(s)? I dont understand what you mean with separate transport.

http://www.postfix.org/master.5.html
http://www.postfix.org/transport.5.html
http://www.postfix.org/ADDRESS_REWRITING_README.html
http://www.postfix.org/FILTER_README.html#advanced_filter
  ( Advanced content filter: sending unfiltered mail to the content filter )

Also the Postfix book by Patrick Koetter and Ralf Hildebrandt.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: ignore SASL/Auth to specific server (internal exchange relay)

Viktor Dukhovni


> On Dec 12, 2018, at 2:48 PM, Daniel Miller <[hidden email]> wrote:
>
> Not wanting to get in the way of the experts but this may help:

Indeed a nice succinct and accessible answer for non-experts.  Please
don't hesitate to post similarly helpful replies.

> An oversimplified view of the transport map is it tells Postfix what line in master.cf to use for a given recipient domain (or full address).  There's only one transport map but it can have several lines for individual decisions.
>
> Wietse's email told you to perform a command-line test to verify your transport map is setup correctly.  So do that first.
>
> The definitions in master.cf tell Postfix where to listen and where to send the message.  So with an explicit transport mapping, using master.cf you provide explicit overrides to the defaults or global settings from main.cf.  So if the only "special" behavior you need for the exchange transport is no sasl:
>
> exchange  unix -       -       n       -       -       smtp
>  -o smtp_sender_dependent_authentication=no

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: ignore SASL/Auth to specific server (internal exchange relay)

Stefan Bauer-2
In reply to this post by Daniel L. Miller
thank you for your help folks! Yes that indeed helped to understand the process!

Am Mi., 12. Dez. 2018 um 20:48 Uhr schrieb Daniel Miller <[hidden email]>:

Not wanting to get in the way of the experts but this may help:

An oversimplified view of the transport map is it tells Postfix what line in master.cf to use for a given recipient domain (or full address).  There's only one transport map but it can have several lines for individual decisions.

Wietse's email told you to perform a command-line test to verify your transport map is setup correctly.  So do that first.

The definitions in master.cf tell Postfix where to listen and where to send the message.  So with an explicit transport mapping, using master.cf you provide explicit overrides to the defaults or global settings from main.cf.  So if the only "special" behavior you need for the exchange transport is no sasl:

exchange  unix -       -       n       -       -       smtp
 -o smtp_sender_dependent_authentication=no
Daniel

On 12/11/2018 1:40 PM, Stefan Bauer wrote:
thank you for your help!

If i understood you correctly, i set in transport:

domain1.de                exchange:


exchange  unix -       -       n       -       -       smtp
 -o smtp_sender_dependent_authentication=no
 -o transport_maps=hash:/etc/postfix/transport_internal

And in transport_internal

domain1.de            smtp:192.168.124.5:2525

but this way, postfix is doing a MX-lookup for domain1.de and not honoring transport_internal as it seems.

Is this basically the right path?


Am Di., 11. Dez. 2018 um 21:48 Uhr schrieb Viktor Dukhovni <[hidden email]>:
> On Dec 11, 2018, at 3:41 PM, Stefan Bauer <[hidden email]> wrote:
>
> Can you recommend appropriate manual(s)? I dont understand what you mean with separate transport.

http://www.postfix.org/master.5.html
http://www.postfix.org/transport.5.html
http://www.postfix.org/ADDRESS_REWRITING_README.html
http://www.postfix.org/FILTER_README.html#advanced_filter
  ( Advanced content filter: sending unfiltered mail to the content filter )

Also the Postfix book by Patrick Koetter and Ralf Hildebrandt.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: ignore SASL/Auth to specific server (internal exchange relay)

Jan Ceuleers
In reply to this post by Viktor Dukhovni
On 12/12/2018 20:55, Viktor Dukhovni wrote:
>
>> On Dec 12, 2018, at 2:48 PM, Daniel Miller <[hidden email]> wrote:
>>
>> Not wanting to get in the way of the experts but this may help:
> Indeed a nice succinct and accessible answer for non-experts.  Please
> don't hesitate to post similarly helpful replies.
>
Unfortunately that answer has not made it to the list (or at least not yet)
Reply | Threaded
Open this post in threaded view
|

Re: ignore SASL/Auth to specific server (internal exchange relay)

Andrey Repin-2
Greetings, Jan Ceuleers!

> On 12/12/2018 20:55, Viktor Dukhovni wrote:
>>
>>> On Dec 12, 2018, at 2:48 PM, Daniel Miller <[hidden email]> wrote:
>>>
>>> Not wanting to get in the way of the experts but this may help:
>> Indeed a nice succinct and accessible answer for non-experts.  Please
>> don't hesitate to post similarly helpful replies.
>>
> Unfortunately that answer has not made it to the list (or at least not yet)

http://postfix.1071664.n5.nabble.com/ignore-SASL-Auth-to-specific-server-internal-exchange-relay-tp98764p98779.html


--
With best regards,
Andrey Repin
Thursday, December 13, 2018 22:19:58

Sorry for my terrible english...