SASL Authentication per recipient domain
in [Postfix]
|
From: Sahil Tandon on 9 Jul 2010 08:03 On Fri, 2010-07-09 at 12:20:12 +0200, David Jacobson wrote: > I appreciate your response, however if you read my original message > you will notice that we have had a look at all support > smtp_sasl_password_maps options and it only allows for the following > scenario according to the docs: > > 1) use SMTP auth for _destination_ mail server > 2) use SMTP auth PER _email address_ to destination mail server > > It does not allow for SMTP auth per _sending domain_ > > Option 2 will give desired results but is a nightmare to manage > individual email addresses in the file, we just want to say > *@sendingdomain.com uses auth. Have you explored PCRE to match *@example.org on the LHS of smtp_sasl_password_maps? -- Sahil Tandon <sahil(a)FreeBSD.org>
From: David Jacobson on 9 Jul 2010 09:54 From: "Sahil Tandon" <sahil(a)FreeBSD.org> To: postfix-users(a)postfix.org Sent: Friday, July 9, 2010 2:03:23 PM Subject: Re: SASL Authentication per recipient domain On Fri, 2010-07-09 at 12:20:12 +0200, David Jacobson wrote: > I appreciate your response, however if you read my original message > you will notice that we have had a look at all support > smtp_sasl_password_maps options and it only allows for the following > scenario according to the docs: > > 1) use SMTP auth for _destination_ mail server > 2) use SMTP auth PER _email address_ to destination mail server > > It does not allow for SMTP auth per _sending domain_ > > Option 2 will give desired results but is a nightmare to manage > individual email addresses in the file, we just want to say > *@sendingdomain.com uses auth. Have you explored PCRE to match *@example.org on the LHS of smtp_sasl_password_maps? -- Sahil Tandon <sahil(a)FreeBSD.org> Hi Sahil, We tried PCRE matches to no avail. Based on your request we tried to change sasl_passwd lookup from hash to pcre (I'm no postfix guy, so have no idea if this should work or not, but postfix restart didn't complain) smtp_sasl_password_maps = pcre:/opt/zimbra/postfix/conf/sasl_passwd Then in sasl_passwd tried various combinations including: /@domain\.com$/ username:password And it did not work, please advise what you mean? It just seems like SASL doesn't support PCRE. Thanks! David Jacobson Technical Director Tel: 011 262 3632 Fax: 086 637 8868 Cell: 083 235 0760 Email: davidj(a)synaq.com Web: www.synaq.com Sandhaven Office Park, Pongola Crescent Eastgate Ext 17 Sandton
From: David Jacobson on 9 Jul 2010 10:12 From: "David Jacobson" <davidj(a)synaq.com> To: postfix-users(a)postfix.org Sent: Friday, July 9, 2010 3:54:16 PM Subject: Re: SASL Authentication per recipient domain From: "Sahil Tandon" <sahil(a)FreeBSD.org> To: postfix-users(a)postfix.org Sent: Friday, July 9, 2010 2:03:23 PM Subject: Re: SASL Authentication per recipient domain On Fri, 2010-07-09 at 12:20:12 +0200, David Jacobson wrote: > I appreciate your response, however if you read my original message > you will notice that we have had a look at all support > smtp_sasl_password_maps options and it only allows for the following > scenario according to the docs: > > 1) use SMTP auth for _destination_ mail server > 2) use SMTP auth PER _email address_ to destination mail server > > It does not allow for SMTP auth per _sending domain_ > > Option 2 will give desired results but is a nightmare to manage > individual email addresses in the file, we just want to say > *@sendingdomain.com uses auth. Have you explored PCRE to match *@example.org on the LHS of smtp_sasl_password_maps? -- Sahil Tandon <sahil(a)FreeBSD.org> Hi Sahil, We tried PCRE matches to no avail. Based on your request we tried to change sasl_passwd lookup from hash to pcre (I'm no postfix guy, so have no idea if this should work or not, but postfix restart didn't complain) smtp_sasl_password_maps = pcre:/opt/zimbra/postfix/conf/sasl_passwd Then in sasl_passwd tried various combinations including: /@domain\.com$/ username:password And it did not work, please advise what you mean? It just seems like SASL doesn't support PCRE. Thanks! Hi There, Just for the sake of clarification we've found what we're looking for, PCRE was not required. We simply made smtp_sender_dependent_authentication = yes then sasl_passwd could accept @domain.com - took us now 2 days to figure this one out. Thanks for everyones assistance anyway. David Jacobson Technical Director Tel: 011 262 3632 Fax: 086 637 8868 Cell: 083 235 0760 Email: davidj(a)synaq.com Web: www.synaq.com Sandhaven Office Park, Pongola Crescent Eastgate Ext 17 Sandton David Jacobson Technical Director Tel: 011 262 3632 Fax: 086 637 8868 Cell: 083 235 0760 Email: davidj(a)synaq.com Web: www.synaq.com Sandhaven Office Park, Pongola Crescent Eastgate Ext 17 Sandton
From: Victor Duchovni on 9 Jul 2010 12:23 On Fri, Jul 09, 2010 at 04:12:41PM +0200, David Jacobson wrote: > We tried PCRE matches to no avail. Based on your request we tried to change sasl_passwd lookup from hash to pcre (I'm no postfix guy, so have no idea if this should work or not, but postfix restart didn't complain) > > smtp_sasl_password_maps = pcre:/opt/zimbra/postfix/conf/sasl_passwd This is documented (clearly I might add) to use the nexthop gateway as the lookup key, unless you have followed the directions in: http://www.postfix.org/SOHO_README.html#client_sasl_sender to enable per-sender passwords, in which case the lookup key is the sender address (and then the nexthop as a default fallback). > > Then in sasl_passwd tried various combinations including: > > /@domain\.com$/ username:password This won't match the nexthop, if you have not enabled per sender password lookups. http://www.postfix.org/postconf.5.html#smtp_sender_dependent_authentication -- Viktor.
From: Sahil Tandon on 9 Jul 2010 17:22
On Fri, 2010-07-09 at 16:12:41 +0200, David Jacobson wrote: [ .. ] > It just seems like SASL doesn't support PCRE. The statement does not make sense. > Just for the sake of clarification we've found what we're looking for, > PCRE was not required. PCRE is not *required*, but it would be fine if you followed the documentation. > We simply made smtp_sender_dependent_authentication = yes then > sasl_passwd could accept @domain.com - took us now 2 days to figure > this one out. Why 2 days? You were linked to the documentation for smtp_sasl_password_maps, and there, following the first comma: "or sender address **WHEN** sender-dependent authentication is enabled" -- Sahil Tandon <sahil(a)FreeBSD.org> |