From: "Andrew G. Grant" on 17 Jun 2010 10:30
Unfortunately, looking at another server OS doesn't help me to find the
answer to this question. But thank you for the suggestion.
I am still trying to find out how Apple OS X Server 10.6.3
(Darwin Kernel Version 10.3.0), running Postfix 2.5.5, Amavisd,
ClamAV, SpamAssassin, Dovecot, and Squirrel Mail can have
SASL access Open Directory's LDAP when Postfix isn't compiled
on my system to use LDAP library types?
This all revolves around finding a way to use:
reject_sender_login_mismatch on smtpd_sender_restrictions
without having to keep a separate smtpd_sender_login_maps
hash file updated.
Currently, I believe SASL is using Open Directory to reference
User Name and Password information for SASL to work, as I haven't
duplicated this information anywhere.
Since my Postfix is not compiled to use LDAP, how is SASL accessing
Open Directory information?
If SASL can access Open Directory, why can't Postfix access Open Directory
to lookup smtpd_sender_login_maps?
2bounce_notice_recipient = mail-notification
biff = no
bounce_notice_recipient = mail-notification
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
delay_notice_recipient = mail-notification
delay_warning_time = 1h
enable_server_options = yes
error_notice_recipient = mail-notification
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = local
mydomain_fallback = localhost
myhostname = mail.caddock.com
mynetworks = 127.0.0.0/8,127.0.0.1/32,10.1.2.241
newaliases_path = /usr/bin/newaliases
notify_classes = policy, protocol, resource, software
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost = msg.caddock.com
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_sasl_auth_enable = no
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_pw_server_security_options = cram-md5, gssapi
smtpd_recipient_restrictions = permit_sasl_authenticated check_recipient_access hash:/etc/postfix/classes/restricted_recipients_list check_sender_access hash:/etc/postfix/classes/restricted_senders_list reject_unauth_pipelining reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unauth_destination check_policy_service unix:private/policy permit
smtpd_restriction_classes = restricted_recipients_list, restricted_senders_list, mgmt_sender_access, everyone_sender_access, notify_sender_access, aeclerk_sender_access, send_only_list, internal_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = hash:/etc/postfix/classes/sender_login_names
smtpd_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_tls_CAfile = /etc/certificates/mail.caddock.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.chain.pem
smtpd_tls_cert_file = /etc/certificates/mail.caddock.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.cert.pem
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/certificates/mail.caddock.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.key.pem
smtpd_use_pw_server = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
From: Jose Ildefonso Camargo Tolosa on 17 Jun 2010 23:31
On Thu, Jun 17, 2010 at 10:00 AM, Andrew G. Grant
> Unfortunately, looking at another server OS doesn't help me to find the
> answer to this question. But thank you for the suggestion.
I know, but it would simplify your life.
> I am still trying to find out how Apple OS X Server 10.6.3
> (Darwin Kernel Version 10.3.0), running Postfix 2.5.5, Amavisd,
> ClamAV, SpamAssassin, Dovecot, and Squirrel Mail can have
> SASL access Open Directory's LDAP when Postfix isn't compiled
> on my system to use LDAP library types?
Postfix doesn't do SASL on its own, it depends on Dovecot or Cyrus,
just read here:
> This all revolves around finding a way to use:
> reject_sender_login_mismatch on smtpd_sender_restrictions
> without having to keep a separate smtpd_sender_login_maps
> hash file updated.
If you want to be able to use postfix with ldap tables, you *must*
have the ldap support, off course, postfix support "plug-ins"
architecture, so, it is likely that you just need to add the ldap
part. As for Mac: I don't know exactly how to do it, but in the worst
of the cases, it would involved recompiling postfix (or, maybe,
compile the plug-in). I don't know how to do it, because I use
Debian, and I just had to install the package: postfix-ldap, and
everything was just fine after that.
> Currently, I believe SASL is using Open Directory to reference
> User Name and Password information for SASL to work, as I haven't
> duplicated this information anywhere.
> Since my Postfix is not compiled to use LDAP, how is SASL accessing
> Open Directory information?
By default this uses cyrus sasl, so, you should check for it on your system.
> If SASL can access Open Directory, why can't Postfix access Open Directory
> to lookup smtpd_sender_login_maps?
I hope this helps,