sasl authentication and RCPT TO

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

sasl authentication and RCPT TO

Vieri Di Paola
Hi,

I'm trying to allow all hosts with IP addr. in permit_mynetworks to
send e-mails to external domains without authentication. On the other
hand, I want to allow sasl-authed clients to send emails to external
domains.

I have this:

# grep sasl /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/to_access, permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination,
reject_unknown_recipient_domain, check_policy_service
unix:private/policyd-spf
smtpd_sasl_path = smtpd
smtpd_sasl_service = saslauthd
smtpd_sasl_type = cyrus
smtp_sasl_auth_enable = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination

Hosts in permit_mynetworks can send e-mails without authenticating.
However, authenticated users cannot:

AUTH PLAIN ABCDEFG
235 2.7.0 Authentication successful
MAIL FROM: <[hidden email]>
250 2.1.0 Ok
RCPT TO: <[hidden email]>
554 5.7.1 <[hidden email]>: Relay access denied

What am I doing wrong?

I removed reject_unauth_destination but I'm still getting the same
rejection message for authenticated users.

Vieri
Reply | Threaded
Open this post in threaded view
|

Re: sasl authentication and RCPT TO

Wietse Venema
Vieri Di Paola:

> Hi,
>
> I'm trying to allow all hosts with IP addr. in permit_mynetworks to
> send e-mails to external domains without authentication. On the other
> hand, I want to allow sasl-authed clients to send emails to external
> domains.
>
> I have this:
>
> # grep sasl /etc/postfix/main.cf
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> broken_sasl_auth_clients = yes
> smtpd_sasl_local_domain =
> smtpd_recipient_restrictions = check_recipient_access
> hash:/etc/postfix/to_access, permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_destination,
> reject_unknown_recipient_domain, check_policy_service
> unix:private/policyd-spf
> smtpd_sasl_path = smtpd
> smtpd_sasl_service = saslauthd
> smtpd_sasl_type = cyrus
> smtp_sasl_auth_enable = yes
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
> reject_unauth_destination
>
> Hosts in permit_mynetworks can send e-mails without authenticating.
> However, authenticated users cannot:
>
> AUTH PLAIN ABCDEFG
> 235 2.7.0 Authentication successful
> MAIL FROM: <[hidden email]>
> 250 2.1.0 Ok
> RCPT TO: <[hidden email]>
> 554 5.7.1 <[hidden email]>: Relay access denied
>
> What am I doing wrong?
>
> I removed reject_unauth_destination but I'm still getting the same
> rejection message for authenticated users.
>
> Vieri
>
Output from "postconf -n" may reveal that your cut-and-paste is
incorrect.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: sasl authentication and RCPT TO

Vieri Di Paola
On Sun, Oct 4, 2020 at 8:25 PM Wietse Venema <[hidden email]> wrote:
>
> Output from "postconf -n" may reveal that your cut-and-paste is
> incorrect.

# postconf -n
postconf: warning: /etc/postfix/main.cf, line 746: overriding earlier
entry: smtpd_tls_auth_only=yes
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = .maildir/
html_directory = no
inet_protocols = ipv4
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 30240000
meta_directory = /etc/postfix
mydestination =
mydomain = domain.org
myhostname = mail1.domain.org
mynetworks = hash:/etc/postfix/network_table
myorigin = domain.org
newaliases_path = /usr/bin/newaliases
policyd-spf_time_limit = 3600
proxy_interfaces = fo1.domain.org fo2.domain.org fo3.domain.org
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = domain.org domain2.org
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix/${mail_version}
smtp_sasl_auth_enable = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP SRV
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 50
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_milters = unix:/var/spool/MIMEDefang/mimedefang.sock
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/to_access, permit_sasl_authenticated,
permit_mynetworks, reject_unknown_recipient_domain,
check_policy_service unix:private/policyd-spf
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_service = saslauthd
smtpd_sasl_type = cyrus
smtpd_sender_restrictions = permit_mynetworks,
reject_unauth_destination, check_sender_access
hash:/etc/postfix/from_access, check_policy_service
inet:127.0.0.1:10030, reject_rbl_client zen.spamhaus.org,
reject_rbl_client backscatter.spameatingmonkey.net, reject_rbl_client
bl.spameatingmonkey.net, reject_rhsbl_sender
fresh.spameatingmonkey.net, reject_rhsbl_client
fresh.spameatingmonkey.net, reject_rhsbl_sender
uribl.spameatingmonkey.net, reject_rhsbl_client
uribl.spameatingmonkey.net, reject_rhsbl_sender
urired.spameatingmonkey.net, reject_rhsbl_client
urired.spameatingmonkey.net
smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/postfix/mailserver_cert.pem
smtpd_tls_key_file = /etc/ssl/postfix/mailserver_key.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
smtputf8_autodetect_classes = verify
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
postconf: warning: /etc/postfix/main.cf: unused parameter:
parent_domain_matches_subdomain=debug_peer_list smtpd_access_maps


The warning about smtpd_tls_auth_only is because I need to test with
telnet on the smtp port.

Isn't permit_sasl_authenticated supposed to be in
smtpd_recipient_restrictions or smtpd_relay_restrictions?
Isn't that enough to allow a sasl-authed client to send e-mail to an
external domain just as long as it isn't in /etc/postfix/to_access (in
my case)?

Testing still shows a reject message:

AUTH PLAIN ABCD
235 2.7.0 Authentication successful
MAIL FROM:<[hidden email]>
250 2.1.0 Ok
RCPT TO:<[hidden email]>
554 5.7.1 <[hidden email]>: Relay access denied

I see that I have reject_unauth_destination in
smtpd_sender_restrictions. Also, permit_sasl_authenticated is not
present there.

Do I need to add permit_sasl_authenticated to both
smtpd_sender_restrictions and smtpd_recipients_restrictions?

Thanks,

Vieri
Reply | Threaded
Open this post in threaded view
|

Re: sasl authentication and RCPT TO

Wietse Venema
Vieri Di Paola:
> smtpd_sender_restrictions = permit_mynetworks,
> reject_unauth_destination, ...

There is no permit_sasl_authenticatedm=, therefore
reject_unauth_destination will demy relay access.

> postconf: warning: /etc/postfix/main.cf: unused parameter:
> parent_domain_matches_subdomain=debug_peer_list smtpd_access_maps

Fix that.

        Wietse