SASL Authentication per recipient domain
in [Postfix]
|
From: David Jacobson on 8 Jul 2010 09:24 Hi There, First post to postfix mailing list, be nice... ;) Postfix 2.6.6.2z We have a hosted mail platform with 100's of companies, some companies require our MTA to talk to a smarthost for their domain with authentication. As per SASL_README The above can be achieved with something like this : /etc/postfix/sasl_passwd: # destination credentials [mail.isp.example] username:password # Alternative form: # [mail.isp.example]:submission username:password The problem with the above is it will use the auth details when talking to mail.isp.example for ALL companies which is not what we want, we want to simply state that the recipient domain x.com uses auth and no one else. The above method doesn't help us as we can't have anyone who mails mail.isp.example to use that clients auth details. As per http://www.postfix.org/SASL_README.html#client_sasl_sender We can do what we want to achieve on a per sender basis which would give the desired results we are looking for, however this becomes a problem for us in terms of managing users in this file when new users are created/removed etc - we would prefer not to write scripts to try and manage this, it will get messy. So, my question is with SASL Authentication, can we do SMTP AUTH on a per sender domain basis and not on a per destination host basis nor a per user basis. I'm not quite sure why we can't do something simple like @domain.com or *@domain.com if per sender works fine. I do understand that this is not Postfix specific as it's based on how Cyrus SASL works, but find it crazy that an option like this is not possible. Any assistance in this regard would be highly appreciated. David Jacobson Technical Director Tel: 011 262 3632 Fax: 086 637 8868 Cell: 083 235 0760 Email: davidj(a)synaq.com Web: www.synaq.com Sandhaven Office Park, Pongola Crescent Eastgate Ext 17 Sandton
From: Noel Jones on 8 Jul 2010 11:04 On 7/8/2010 8:24 AM, David Jacobson wrote: > Hi There, > > First post to postfix mailing list, be nice... ;) > > Postfix 2.6.6.2z > > We have a hosted mail platform with 100's of companies, some > companies require our MTA to talk to a smarthost for their > domain with authentication. > > As per SASL_README > > The above can be achieved with something like this : > > /etc/postfix/sasl_passwd: > # destination credentials > [mail.isp.example] username:password > # Alternative form: > # [mail.isp.example]:submission username:password > > The problem with the above is it will use the auth details > when talking to mail.isp.example for ALL companies which is > not what we want, we want to simply state that the recipient > domain x.com uses auth and no one else. > > The above method doesn't help us as we can't have anyone who > mails mail.isp.example to use that clients auth details. > > As per http://www.postfix.org/SASL_README.html#client_sasl_sender > > We can do what we want to achieve on a per sender basis which > would give the desired results we are looking for, however > this becomes a problem for us in terms of managing users in > this file when new users are created/removed etc - we would > prefer not to write scripts to try and manage this, it will > get messy. > > So, my question is with SASL Authentication, can we do SMTP > AUTH on a per sender domain basis and not on a per destination > host basis nor a per user basis. > > I'm not quite sure why we can't do something simple like > @domain.com or *@domain.com if per sender works fine. Now would be a good time to read http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps -- Noel Jones
From: David Jacobson on 9 Jul 2010 03:36 From: "Noel Jones" <njones(a)megan.vbhcs.org> To: postfix-users(a)postfix.org Sent: Thursday, July 8, 2010 5:04:07 PM Subject: Re: SASL Authentication per recipient domain On 7/8/2010 8:24 AM, David Jacobson wrote: > Hi There, > > First post to postfix mailing list, be nice... ;) > > Postfix 2.6.6.2z > > We have a hosted mail platform with 100's of companies, some > companies require our MTA to talk to a smarthost for their > domain with authentication. > > As per SASL_README > > The above can be achieved with something like this : > > /etc/postfix/sasl_passwd: > # destination credentials > [mail.isp.example] username:password > # Alternative form: > # [mail.isp.example]:submission username:password > > The problem with the above is it will use the auth details > when talking to mail.isp.example for ALL companies which is > not what we want, we want to simply state that the recipient > domain x.com uses auth and no one else. > > The above method doesn't help us as we can't have anyone who > mails mail.isp.example to use that clients auth details. > > As per http://www.postfix.org/SASL_README.html#client_sasl_sender > > We can do what we want to achieve on a per sender basis which > would give the desired results we are looking for, however > this becomes a problem for us in terms of managing users in > this file when new users are created/removed etc - we would > prefer not to write scripts to try and manage this, it will > get messy. > > So, my question is with SASL Authentication, can we do SMTP > AUTH on a per sender domain basis and not on a per destination > host basis nor a per user basis. > > I'm not quite sure why we can't do something simple like > @domain.com or *@domain.com if per sender works fine. Now would be a good time to read http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps -- Noel Jones Hi Noel, Thanks for the response, we are already using sender_dependent_relayhost_maps the problem is that from what we can see you cannot specify sender dependant SASL password's, which is our original problem and exactly what we are after. Please let me know if we are wrong here? Cheers David Jacobson Technical Director Tel: 011 262 3632 Fax: 086 637 8868 Cell: 083 235 0760 Email: davidj(a)synaq.com Web: www.synaq.com Sandhaven Office Park, Pongola Crescent Eastgate Ext 17 Sandton
From: Jerry on 9 Jul 2010 05:40 On Fri, 9 Jul 2010 09:36:56 +0200 (SAST) David Jacobson <davidj(a)synaq.com> articulated: > From: "Noel Jones" <njones(a)megan.vbhcs.org> > To: postfix-users(a)postfix.org > Sent: Thursday, July 8, 2010 5:04:07 PM > Subject: Re: SASL Authentication per recipient domain > > On 7/8/2010 8:24 AM, David Jacobson wrote: > > Hi There, > > > > First post to postfix mailing list, be nice... ;) > > > > Postfix 2.6.6.2z > > > > We have a hosted mail platform with 100's of companies, some > > companies require our MTA to talk to a smarthost for their > > domain with authentication. > > > > As per SASL_README > > > > The above can be achieved with something like this : > > > > /etc/postfix/sasl_passwd: > > # destination credentials > > [mail.isp.example] username:password > > # Alternative form: > > # [mail.isp.example]:submission username:password > > > > The problem with the above is it will use the auth details > > when talking to mail.isp.example for ALL companies which is > > not what we want, we want to simply state that the recipient > > domain x.com uses auth and no one else. > > > > The above method doesn't help us as we can't have anyone who > > mails mail.isp.example to use that clients auth details. > > > > As per http://www.postfix.org/SASL_README.html#client_sasl_sender > > > > We can do what we want to achieve on a per sender basis which > > would give the desired results we are looking for, however > > this becomes a problem for us in terms of managing users in > > this file when new users are created/removed etc - we would > > prefer not to write scripts to try and manage this, it will > > get messy. > > > > So, my question is with SASL Authentication, can we do SMTP > > AUTH on a per sender domain basis and not on a per destination > > host basis nor a per user basis. > > > > I'm not quite sure why we can't do something simple like > > @domain.com or *@domain.com if per sender works fine. > > Now would be a good time to read > http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps > > -- Noel Jones > > Hi Noel, > > Thanks for the response, we are already using sender_dependent_relayhost_maps the problem is that from what we can see you cannot specify sender dependant SASL password's, which is our original problem and exactly what we are after. > > Please let me know if we are wrong here? Could this be what you are looking for: http://www.postfix.com/postconf.5.html#smtp_sasl_password_maps -- Jerry ✌ postfix-user(a)seibercom.net _____________________________________________________________________ TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html We are all born equal... just some of us are more equal than others.
From: David Jacobson on 9 Jul 2010 06:20
From: "Jerry" <postfix-user(a)seibercom.net> To: postfix-users(a)postfix.org Sent: Friday, July 9, 2010 11:40:11 AM Subject: Re: SASL Authentication per recipient domain On Fri, 9 Jul 2010 09:36:56 +0200 (SAST) David Jacobson <davidj(a)synaq.com> articulated: > From: "Noel Jones" <njones(a)megan.vbhcs.org> > To: postfix-users(a)postfix.org > Sent: Thursday, July 8, 2010 5:04:07 PM > Subject: Re: SASL Authentication per recipient domain > > On 7/8/2010 8:24 AM, David Jacobson wrote: > > Hi There, > > > > First post to postfix mailing list, be nice... ;) > > > > Postfix 2.6.6.2z > > > > We have a hosted mail platform with 100's of companies, some > > companies require our MTA to talk to a smarthost for their > > domain with authentication. > > > > As per SASL_README > > > > The above can be achieved with something like this : > > > > /etc/postfix/sasl_passwd: > > # destination credentials > > [mail.isp.example] username:password > > # Alternative form: > > # [mail.isp.example]:submission username:password > > > > The problem with the above is it will use the auth details > > when talking to mail.isp.example for ALL companies which is > > not what we want, we want to simply state that the recipient > > domain x.com uses auth and no one else. > > > > The above method doesn't help us as we can't have anyone who > > mails mail.isp.example to use that clients auth details. > > > > As per http://www.postfix.org/SASL_README.html#client_sasl_sender > > > > We can do what we want to achieve on a per sender basis which > > would give the desired results we are looking for, however > > this becomes a problem for us in terms of managing users in > > this file when new users are created/removed etc - we would > > prefer not to write scripts to try and manage this, it will > > get messy. > > > > So, my question is with SASL Authentication, can we do SMTP > > AUTH on a per sender domain basis and not on a per destination > > host basis nor a per user basis. > > > > I'm not quite sure why we can't do something simple like > > @domain.com or *@domain.com if per sender works fine. > > Now would be a good time to read > http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps > > -- Noel Jones > > Hi Noel, > > Thanks for the response, we are already using sender_dependent_relayhost_maps the problem is that from what we can see you cannot specify sender dependant SASL password's, which is our original problem and exactly what we are after. > > Please let me know if we are wrong here? Could this be what you are looking for: http://www.postfix.com/postconf.5.html#smtp_sasl_password_maps -- Jerry ✌ postfix-user(a)seibercom.net Hi Jerry, I appreciate your response, however if you read my original message you will notice that we have had a look at all support smtp_sasl_password_maps options and it only allows for the following scenario according to the docs: 1) use SMTP auth for _destination_ mail server 2) use SMTP auth PER _email address_ to destination mail server It does not allow for SMTP auth per _sending domain_ Option 2 will give desired results but is a nightmare to manage individual email addresses in the file, we just want to say *@sendingdomain.com uses auth. We primary use EXIM and are used to the extreme flexibility of configuration around Exim, that can easily do the above and are finding it hard to do, what I believe is basic virtual domain configuration with Postfix. We would normally switch to Exim, but for this instance we have to use Postfix. Best, _____________________________________________________________________ TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html We are all born equal... just some of us are more equal than others. David Jacobson Technical Director Tel: 011 262 3632 Fax: 086 637 8868 Cell: 083 235 0760 Email: davidj(a)synaq.com Web: www.synaq.com Sandhaven Office Park, Pongola Crescent Eastgate Ext 17 Sandton |