trusted access and authenticated access

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

trusted access and authenticated access

Charles Account

Hi,

I am trying to configure my postfix server to allow two types of users: trusted and authenticated
The trusted users are sending from a set of IP addresses and I don't require them to authenticate
since this has occurred up stream.
The authenticated users are using thirdparty clients like t-bird.

I am running into a problem where the trusted clients are being rejected on the mail from command.
I suspect this is because of the reject_sender_login_mismatch configuration which to my understanding
is required for authenticated clients.

When I add 'smtpd_sasl_exceptions_networks = 2.2.2.2, 3.3.3.3', postfix for those systems no longer
advertise the authentication capability. However, I get an error on 'mail from' command -
'Sender address rejected: not logged in'.

How can I configure postfix to support both types of users?

command_directory = /opt/zimbra/postfix-2.5.1/sbin
config_directory = /opt/zimbra/postfix-2.5.1/conf
daemon_directory = /opt/zimbra/postfix-2.5.1/libexec
data_directory = /opt/zimbra/postfix-2.5.1/data
debug_peer_level = 2
disable_vrfy_command = no
html_directory = no
mail_name = MUA Interface
mail_owner = postfix
mailq_path = /opt/zimbra/postfix-2.5.1/sbin/mailq
manpage_directory = /opt/zimbra/postfix-2.5.1/man
message_size_limit = 23000000
mydestination =
mynetworks =
newaliases_path = /opt/zimbra/postfix-2.5.1/sbin/newaliases
queue_directory = /opt/zimbra/postfix-2.5.1/spool
readme_directory = no
sample_directory = /opt/zimbra/postfix-2.5.1/conf
sendmail_path = /opt/zimbra/postfix-2.5.1/sbin/sendmail
setgid_group = postdrop
smtpd_client_restrictions = permit_sasl_authenticated,     reject_unauth_pipelining
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = no
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_sender_login_mismatch, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = 2.2.2.2, 3.3.3.3
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = ldap:/opt/zimbra/conf/ldap-vam.cf
smtpd_sender_restrictions = reject_non_fqdn_sender,      reject_unlisted_sender,      reject_sender_login_mismatch,      check_sender_access ldap:/opt/zimbra/conf/ldap-sender.cf,      reject
smtpd_tls_CAfile = /opt/zimbra/conf/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = ldap:/opt/zimbra/conf/ldap-transport.cf
unknown_local_recipient_reject_code = 550
virtual_transport = error


Any help is greatly appreciated.

Charles



_________________________________________________________________
Get more out of the Web. Learn 10 hidden secrets of Windows Live.
http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
Reply | Threaded
Open this post in threaded view
|

Re: trusted access and authenticated access

mouss-2
Charles Account wrote:
> Hi,
>
> I am trying to configure my postfix server to allow two types of users: trusted and authenticated
> The trusted users are sending from a set of IP addresses and I don't require them to authenticate
> since this has occurred up stream.

for these you need permit_mynetworks if they are allowed to relay. if
they are not, setup a check_client_access to allow them.


> The authenticated users are using thirdparty clients like t-bird.
>

so this server doesn't receive mail from the "public" internet, right?
In short, it is not an MX.

> I am running into a problem where the trusted clients are being rejected on the mail from command.
> I suspect this is because of the reject_sender_login_mismatch configuration which to my understanding
> is required for authenticated clients.
>
> When I add 'smtpd_sasl_exceptions_networks = 2.2.2.2, 3.3.3.3', postfix for those systems no longer
> advertise the authentication capability. However, I get an error on 'mail from' command -
> 'Sender address rejected: not logged in'.
>
> How can I configure postfix to support both types of users?
>
> command_directory = /opt/zimbra/postfix-2.5.1/sbin
> config_directory = /opt/zimbra/postfix-2.5.1/conf
> daemon_directory = /opt/zimbra/postfix-2.5.1/libexec
> data_directory = /opt/zimbra/postfix-2.5.1/data
> debug_peer_level = 2
> disable_vrfy_command = no
> html_directory = no
> mail_name = MUA Interface
> mail_owner = postfix
> mailq_path = /opt/zimbra/postfix-2.5.1/sbin/mailq
> manpage_directory = /opt/zimbra/postfix-2.5.1/man
> message_size_limit = 23000000
> mydestination =
> mynetworks =
> newaliases_path = /opt/zimbra/postfix-2.5.1/sbin/newaliases
> queue_directory = /opt/zimbra/postfix-2.5.1/spool
> readme_directory = no
> sample_directory = /opt/zimbra/postfix-2.5.1/conf
> sendmail_path = /opt/zimbra/postfix-2.5.1/sbin/sendmail
> setgid_group = postdrop
> smtpd_client_restrictions = permit_sasl_authenticated,     reject_unauth_pipelining
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_delay_reject = no
> smtpd_etrn_restrictions = reject
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
> smtpd_recipient_limit = 100
> smtpd_recipient_restrictions = permit_sasl_authenticated, reject_sender_login_mismatch, reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_exceptions_networks = 2.2.2.2, 3.3.3.3
> smtpd_sasl_path = smtpd
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_login_maps = ldap:/opt/zimbra/conf/ldap-vam.cf
> smtpd_sender_restrictions = reject_non_fqdn_sender,      reject_unlisted_sender,      reject_sender_login_mismatch,      check_sender_access ldap:/opt/zimbra/conf/ldap-sender.cf,      reject
> smtpd_tls_CAfile = /opt/zimbra/conf/cacert.pem
> smtpd_tls_auth_only = no
> smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
> smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> tls_random_source = dev:/dev/urandom
> transport_maps = ldap:/opt/zimbra/conf/ldap-transport.cf
> unknown_local_recipient_reject_code = 550
> virtual_transport = error
>
>
> Any help is greatly appreciated.
>
> Charles
>
>
>
> _________________________________________________________________
> Get more out of the Web. Learn 10 hidden secrets of Windows Live.
> http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008