Hi,
I'm trying to allow all hosts with IP addr. in permit_mynetworks to send e-mails to external domains without authentication. On the other hand, I want to allow sasl-authed clients to send emails to external domains. I have this: # grep sasl /etc/postfix/main.cf smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_local_domain = smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/to_access, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, check_policy_service unix:private/policyd-spf smtpd_sasl_path = smtpd smtpd_sasl_service = saslauthd smtpd_sasl_type = cyrus smtp_sasl_auth_enable = yes smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination Hosts in permit_mynetworks can send e-mails without authenticating. However, authenticated users cannot: AUTH PLAIN ABCDEFG 235 2.7.0 Authentication successful MAIL FROM: <[hidden email]> 250 2.1.0 Ok RCPT TO: <[hidden email]> 554 5.7.1 <[hidden email]>: Relay access denied What am I doing wrong? I removed reject_unauth_destination but I'm still getting the same rejection message for authenticated users. Vieri |
Vieri Di Paola:
> Hi, > > I'm trying to allow all hosts with IP addr. in permit_mynetworks to > send e-mails to external domains without authentication. On the other > hand, I want to allow sasl-authed clients to send emails to external > domains. > > I have this: > > # grep sasl /etc/postfix/main.cf > smtpd_sasl_auth_enable = yes > smtpd_sasl_security_options = noanonymous > broken_sasl_auth_clients = yes > smtpd_sasl_local_domain = > smtpd_recipient_restrictions = check_recipient_access > hash:/etc/postfix/to_access, permit_sasl_authenticated, > permit_mynetworks, reject_unauth_destination, > reject_unknown_recipient_domain, check_policy_service > unix:private/policyd-spf > smtpd_sasl_path = smtpd > smtpd_sasl_service = saslauthd > smtpd_sasl_type = cyrus > smtp_sasl_auth_enable = yes > smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated > reject_unauth_destination > > Hosts in permit_mynetworks can send e-mails without authenticating. > However, authenticated users cannot: > > AUTH PLAIN ABCDEFG > 235 2.7.0 Authentication successful > MAIL FROM: <[hidden email]> > 250 2.1.0 Ok > RCPT TO: <[hidden email]> > 554 5.7.1 <[hidden email]>: Relay access denied > > What am I doing wrong? > > I removed reject_unauth_destination but I'm still getting the same > rejection message for authenticated users. > > Vieri > incorrect. Wietse |
On Sun, Oct 4, 2020 at 8:25 PM Wietse Venema <[hidden email]> wrote:
> > Output from "postconf -n" may reveal that your cut-and-paste is > incorrect. # postconf -n postconf: warning: /etc/postfix/main.cf, line 746: overriding earlier entry: smtpd_tls_auth_only=yes biff = no broken_sasl_auth_clients = yes command_directory = /usr/sbin compatibility_level = 2 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 home_mailbox = .maildir/ html_directory = no inet_protocols = ipv4 local_recipient_maps = local_transport = error:local mail delivery is disabled mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 30240000 meta_directory = /etc/postfix mydestination = mydomain = domain.org myhostname = mail1.domain.org mynetworks = hash:/etc/postfix/network_table myorigin = domain.org newaliases_path = /usr/bin/newaliases policyd-spf_time_limit = 3600 proxy_interfaces = fo1.domain.org fo2.domain.org fo3.domain.org queue_directory = /var/spool/postfix readme_directory = no relay_domains = domain.org domain2.org relay_recipient_maps = hash:/etc/postfix/relay_recipients sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop shlib_directory = /usr/lib64/postfix/${mail_version} smtp_sasl_auth_enable = yes smtp_tls_note_starttls_offer = yes smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_use_tls = yes smtpd_banner = $myhostname ESMTP SRV smtpd_client_connection_count_limit = 10 smtpd_client_connection_rate_limit = 50 smtpd_data_restrictions = reject_unauth_pipelining smtpd_milters = unix:/var/spool/MIMEDefang/mimedefang.sock smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/to_access, permit_sasl_authenticated, permit_mynetworks, reject_unknown_recipient_domain, check_policy_service unix:private/policyd-spf smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sasl_service = saslauthd smtpd_sasl_type = cyrus smtpd_sender_restrictions = permit_mynetworks, reject_unauth_destination, check_sender_access hash:/etc/postfix/from_access, check_policy_service inet:127.0.0.1:10030, reject_rbl_client zen.spamhaus.org, reject_rbl_client backscatter.spameatingmonkey.net, reject_rbl_client bl.spameatingmonkey.net, reject_rhsbl_sender fresh.spameatingmonkey.net, reject_rhsbl_client fresh.spameatingmonkey.net, reject_rhsbl_sender uribl.spameatingmonkey.net, reject_rhsbl_client uribl.spameatingmonkey.net, reject_rhsbl_sender urired.spameatingmonkey.net, reject_rhsbl_client urired.spameatingmonkey.net smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/ssl/postfix/mailserver_cert.pem smtpd_tls_key_file = /etc/ssl/postfix/mailserver_key.pem smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes smtputf8_autodetect_classes = verify tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual postconf: warning: /etc/postfix/main.cf: unused parameter: parent_domain_matches_subdomain=debug_peer_list smtpd_access_maps The warning about smtpd_tls_auth_only is because I need to test with telnet on the smtp port. Isn't permit_sasl_authenticated supposed to be in smtpd_recipient_restrictions or smtpd_relay_restrictions? Isn't that enough to allow a sasl-authed client to send e-mail to an external domain just as long as it isn't in /etc/postfix/to_access (in my case)? Testing still shows a reject message: AUTH PLAIN ABCD 235 2.7.0 Authentication successful MAIL FROM:<[hidden email]> 250 2.1.0 Ok RCPT TO:<[hidden email]> 554 5.7.1 <[hidden email]>: Relay access denied I see that I have reject_unauth_destination in smtpd_sender_restrictions. Also, permit_sasl_authenticated is not present there. Do I need to add permit_sasl_authenticated to both smtpd_sender_restrictions and smtpd_recipients_restrictions? Thanks, Vieri |
Vieri Di Paola:
> smtpd_sender_restrictions = permit_mynetworks, > reject_unauth_destination, ... There is no permit_sasl_authenticatedm=, therefore reject_unauth_destination will demy relay access. > postconf: warning: /etc/postfix/main.cf: unused parameter: > parent_domain_matches_subdomain=debug_peer_list smtpd_access_maps Fix that. Wietse |
Free forum by Nabble | Edit this page |