smtpd_client_restrictions: "permit_mynetworks" additionally necessary!?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

smtpd_client_restrictions: "permit_mynetworks" additionally necessary!?

meyer-jordan
Hi there!

Can someone give me a hint:

I've two postfix servers which both have two NICs, one with an official IP to the internet, and one with a private IP to the internal LAN.

I want to permit SMTP from the outside via submission port with SMTP Auth. It runs like expected with the older 2.0.18 server (see master.cf snippet below) with internal and external clients. But
with the newer 2.3.8 server it only runs with external clients.

I get "554 5.7.1 <unknown[PRIVATE-IP]>: Client host rejected: Access denied; from= [...]". (The client didn't reach SASL authentication state.)

I've to add "permit_mynetworks" as first item to smtpd_client_restrictions to send with internal clients. "permit_sasl_authenticated" should be enough, in my opinion - especially because it runs for
external internet clients which are not member of $mynetworks.

Where's my mistake?


Possibly there's some preferred rule at the older 2.0.18 system, which will permit $mynetwork (internal LAN) clients before master.cf's submission
"smtpd_client_restrictions=permit_sasl_authenticated,reject" can take effect?


-------------------------------------------------------------------------------------
Postfix 2.3.8

master.cf
[...]
submission inet n - - - - smtpd
  [...]
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  [...]

-------------------------------------------------------------------------------------
Postfix 2.0.18

master.cf
[...]
submission inet n - - - - smtpd -o cleanup_service_name=pre-cleanup
  [...]
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  [...]
-------------------------------------------------------------------------------------


Thanks,
  Hasso

Reply | Threaded
Open this post in threaded view
|

Re: smtpd_client_restrictions: "permit_mynetworks" additionally necessary!?

Noel Jones-2
[hidden email] wrote:

> Hi there!
>
> Can someone give me a hint:
>
> I've two postfix servers which both have two NICs, one with an official IP to the internet, and one with a private IP to the internal LAN.
>
> I want to permit SMTP from the outside via submission port with SMTP Auth. It runs like expected with the older 2.0.18 server (see master.cf snippet below) with internal and external clients. But
> with the newer 2.3.8 server it only runs with external clients.
>
> I get "554 5.7.1 <unknown[PRIVATE-IP]>: Client host rejected: Access denied; from= [...]". (The client didn't reach SASL authentication state.)
>
> I've to add "permit_mynetworks" as first item to smtpd_client_restrictions to send with internal clients. "permit_sasl_authenticated" should be enough, in my opinion - especially because it runs for
> external internet clients which are not member of $mynetworks.
>
> Where's my mistake?

Your error report is inconsistent with how postfix works,
which usually means the actual configuration isn't what you
think it is.

Please post "postconf -n" output, master.cf contents, and log
entries from the non-working system.  It's best if you post
unaltered entries, if you must alter entries, do so coherently.

   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: smtpd_client_restrictions: "permit_mynetworks" additionally necessary!?

meyer-jordan
Hi Noel!

> Your error report is inconsistent with how postfix works,
> which usually means the actual configuration isn't what you
> think it is.
>
> Please post "postconf -n" output, master.cf contents, and log
> entries from the non-working system.  It's best if you post
> unaltered entries, if you must alter entries, do so coherently.

Thank you for your answer!

You are right with your demands, of course!

Nevertheless it seems to be too costly to analyze a complete configuration for this limited problem, I think. - I would be happy about a hint where I should have to look for - please don't bother for
a complete solution.


So I'll try to explain more easy:

official-IP --- postfix-server --- internal-IP (internal subnet) --- router --- other-internal-IP (other internal subnet)
                                                         |___ client with trouble                                           |____ client without trouble

I want to send mail via submission port with SMTP Auth (with SASL backend) only.

I've to add "permit_mynetworks" into master.cf at submission entry or to remove my internal private subnet (192.168.1.0/24) from $mynetworks in main.cf to avoid "554 5.7.1 <unknown[192.168.1.101]>:
Client host rejected: Access denied; from= [...]" while sending attempts from internal subnet clients.

Sending from external clients and further internal subnets (which aren't directly connected to the internal NIC and not in $mynetworks) runs without problems.

------------------------------------------------------------------------------------
Postfix 2.3.8
With this submission smtpd_client_restrictions entry I'm not able to send mails to postfix from internal subnet clients (subnet which is directly connected to the internal postfix server NIC) - with
Postfix 2.0.18 it worked:

master.cf
[...]
submission inet n - - - - smtpd
  [...]
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  [...]
-------------------------------------------------------------------------------------


Thanks,
   Hasso

Reply | Threaded
Open this post in threaded view
|

Re: smtpd_client_restrictions: "permit_mynetworks" additionally necessary!?

Noel Jones-2
[hidden email] wrote:

> Hi Noel!
>
>> Your error report is inconsistent with how postfix works,
>> which usually means the actual configuration isn't what you
>> think it is.
>>
>> Please post "postconf -n" output, master.cf contents, and log
>> entries from the non-working system.  It's best if you post
>> unaltered entries, if you must alter entries, do so coherently.
>
> Thank you for your answer!
>
> You are right with your demands, of course!
>
> Nevertheless it seems to be too costly to analyze a complete configuration for this limited problem, I think. - I would be happy about a hint where I should have to look for - please don't bother for
> a complete solution.
>
>
> So I'll try to explain more easy:
>
> official-IP --- postfix-server --- internal-IP (internal subnet) --- router --- other-internal-IP (other internal subnet)
>                                                          |___ client with trouble                                           |____ client without trouble
>
> I want to send mail via submission port with SMTP Auth (with SASL backend) only.
>
> I've to add "permit_mynetworks" into master.cf at submission entry or to remove my internal private subnet (192.168.1.0/24) from $mynetworks in main.cf to avoid "554 5.7.1 <unknown[192.168.1.101]>:
> Client host rejected: Access denied; from= [...]" while sending attempts from internal subnet clients.
>

Your problem report is inconsistent with how postfix works.
Postfix works as documented.  Differences from prior versions
are carefully listed in the RELEASE_NOTES.

Likely your error can be spotted quickly if you post the
requested information.

Postfix is documented here:
http://www.postfix.org/documentation.html

Without proper evidence, we're reduced to guessing.  My best
guess based on the information provided is that either the
reported configuration doesn't match the actual configuration,
or the reported behavior doesn't match the actual behavior.

Here's a wild guess.  Don't change the default setting of
smtpd_delay_reject = yes

Any further help will require evidence of postfix's
configuration and behavior as requested.

   -- Noel Jones

> Sending from external clients and further internal subnets (which aren't directly connected to the internal NIC and not in $mynetworks) runs without problems.
>
> ------------------------------------------------------------------------------------
> Postfix 2.3.8
> With this submission smtpd_client_restrictions entry I'm not able to send mails to postfix from internal subnet clients (subnet which is directly connected to the internal postfix server NIC) - with
> Postfix 2.0.18 it worked:
>
> master.cf
> [...]
> submission inet n - - - - smtpd
>   [...]
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>   [...]
> -------------------------------------------------------------------------------------
>
>
> Thanks,
>    Hasso
>

Reply | Threaded
Open this post in threaded view
|

Re: smtpd_client_restrictions: "permit_mynetworks" additionally necessary!?

meyer-jordan
Hi Noel!

Thank you for your further answer!
(You are right with the demand of sending configs to end guessing, of course!)

Because of your persitently drawing I was encouraged to look for other reasons than the obvious ones. And I found my mistake, after all. Thank you!


I used to set smtpd_sasl_exeptions_networks to $mynetworks because internal clients shouldn't been bothered by introducion of optional SMTP Auth at the SMTP port (25) during first tests some month
ago.
I'd overlooked that it was still active - and prevents $mynetwork clients from authenticate with SMTP Auth even at all ports, of course.


Regards,
    Hasso