Submission service
in [Postfix]
|
From: Larry Stone on 8 Jun 2010 09:47 On Tue, 8 Jun 2010, Phil Howard wrote: > On Fri, Jun 4, 2010 at 18:31, Sahil Tandon <sahil(a)freebsd.org> wrote: >> On Fri, 04 Jun 2010, Dan Burkland wrote: >> >>> Relevant configuration entries: >>> >>> -------main.cf-------- >>> smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination >> ^^^^^^^^^ >> >>> -------master.cf------- >>> submission inet n - n - - smtpd >>> -o smtpd_enforce_tls=yes >>> -o smtpd_sasl_auth_enable=yes >>> -o smtpd_sasl_type=dovecot >>> -o smtpd_sasl_path=private/auth >>> -o smtpd_client_restrictions_permit_sasl_authenticated,reject >> ^^^^^^ >> >> You might have incorrectly assumed that if one restriction list >> evaluates to OK, that the following restriction lists are skipped. This >> is not the case. You OK the SASL authenticated client in >> smtpd_client_restrictions, but then smtpd_recipient_restrictions are >> still evluated based on the definition in main.cf. For a better >> understanding, review SMTPD_ACCESS_README. > > I'm assuming that: > > -o smtpd_client_restrictions_permit_sasl_authenticated,reject > > is intended to be: > > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > Phil, you're not getting what people are trying to tell you. Your entry in master.cf for submission overrrides smtpd_CLIENT_restrictions. You are not overriding smtpd_RECIPIENT_restrictions so the smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination in main.cf is still applied. And that says if it's not mynetworks, reject. SASL authentication is never looked at in that restriction. -- Larry Stone lstone19(a)stonejongleux.com
From: Dan Burkland on 8 Jun 2010 11:09 Using all of your helpful suggestions I was able to properly configure my Postfix server. The purpose behind master.cf makes a bit more sense now after reading your replies. Thanks again! Dan
From: Phil Howard on 8 Jun 2010 12:19 On Tue, Jun 8, 2010 at 09:47, Larry Stone <lstone19(a)stonejongleux.com> wrote: > On Tue, 8 Jun 2010, Phil Howard wrote: > >> On Fri, Jun 4, 2010 at 18:31, Sahil Tandon <sahil(a)freebsd.org> wrote: >>> >>> On Fri, 04 Jun 2010, Dan Burkland wrote: >>> >>>> Relevant configuration entries: >>>> >>>> -------main.cf-------- >>>> smtpd_recipient_restrictions = permit_mynetworks, >>>> reject_unauth_destination >>> >>> ^^^^^^^^^ >>> >>>> -------master.cf------- >>>> submission inet n - n - - smtpd >>>> -o smtpd_enforce_tls=yes >>>> -o smtpd_sasl_auth_enable=yes >>>> -o smtpd_sasl_type=dovecot >>>> -o smtpd_sasl_path=private/auth >>>> -o smtpd_client_restrictions_permit_sasl_authenticated,reject >>> >>> ^^^^^^ >>> >>> You might have incorrectly assumed that if one restriction list >>> evaluates to OK, that the following restriction lists are skipped. This >>> is not the case. You OK the SASL authenticated client in >>> smtpd_client_restrictions, but then smtpd_recipient_restrictions are >>> still evluated based on the definition in main.cf. For a better >>> understanding, review SMTPD_ACCESS_README. >> >> I'm assuming that: >> >> -o smtpd_client_restrictions_permit_sasl_authenticated,reject >> >> is intended to be: >> >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject >> > > Phil, you're not getting what people are trying to tell you. Your entry in > master.cf for submission overrrides smtpd_CLIENT_restrictions. You are not > overriding smtpd_RECIPIENT_restrictions so the smtpd_recipient_restrictions > = permit_mynetworks, reject_unauth_destination > in main.cf is still applied. And that says if it's not mynetworks, reject.. > SASL authentication is never looked at in that restriction. Did you even look at what I posted? There is no config item called "smtpd_client_restrictions_permit_sasl_authenticated". I wasn't talking about smtpd_recipient_restrictions at all. I guess this is the confusion that happens in threads when there are 2 or more errors.
From: Larry Stone on 8 Jun 2010 13:06 On Tue, 8 Jun 2010, Phil Howard wrote: > On Tue, Jun 8, 2010 at 09:47, Larry Stone <lstone19(a)stonejongleux.com> wrote: >> On Tue, 8 Jun 2010, Phil Howard wrote: >> >>> On Fri, Jun 4, 2010 at 18:31, Sahil Tandon <sahil(a)freebsd.org> wrote: >>>> >>>> On Fri, 04 Jun 2010, Dan Burkland wrote: >>>> >>>>> Relevant configuration entries: >>>>> >>>>> -------main.cf-------- >>>>> smtpd_recipient_restrictions = permit_mynetworks, >>>>> reject_unauth_destination >>>> >>>> ^^^^^^^^^ >>>> >>>>> -------master.cf------- >>>>> submission inet n - n - - smtpd >>>>> -o smtpd_enforce_tls=yes >>>>> -o smtpd_sasl_auth_enable=yes >>>>> -o smtpd_sasl_type=dovecot >>>>> -o smtpd_sasl_path=private/auth >>>>> -o smtpd_client_restrictions_permit_sasl_authenticated,reject >>>> >>>> ^^^^^^ >>>> >>>> You might have incorrectly assumed that if one restriction list >>>> evaluates to OK, that the following restriction lists are skipped. This >>>> is not the case. You OK the SASL authenticated client in >>>> smtpd_client_restrictions, but then smtpd_recipient_restrictions are >>>> still evluated based on the definition in main.cf. For a better >>>> understanding, review SMTPD_ACCESS_README. >>> >>> I'm assuming that: >>> >>> -o smtpd_client_restrictions_permit_sasl_authenticated,reject >>> >>> is intended to be: >>> >>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject >>> >> >> Phil, you're not getting what people are trying to tell you. Your entry in >> master.cf for submission overrrides smtpd_CLIENT_restrictions. You are not >> overriding smtpd_RECIPIENT_restrictions so the smtpd_recipient_restrictions >> = permit_mynetworks, reject_unauth_destination >> in main.cf is still applied. And that says if it's not mynetworks, reject. >> SASL authentication is never looked at in that restriction. > > Did you even look at what I posted? There is no config item called > "smtpd_client_restrictions_permit_sasl_authenticated". And did you even read what I wrote? I am well aware you made a typo earlier. I understand what you meant and said nothing about the mistake. > I wasn't > talking about smtpd_recipient_restrictions at all. You might not be but I am and I'm pretty sure that's your problem (if I'm remembering correctly what the original problem is. It is that remote users connect to submission, SASL authenticate, but get rejected trying to send to non-local destination, correct?). That you did not specifiy smtpd_recipient_restrictions in master.cf does not mean its value is blank. Rather, it takes the value from main.cf which is permit_mynetworks, reject_unauth_destination So let's see what happens when a remote user connects to submission, SASL authenticates, tries to send to a destination off your server, and Postfix gets to evaluating smtpd_recipient_restriction. First it checks permit_mynetworks. They user is remote and not in mynetworks so it evaluates to DUNNO. Then it checkes reject_unauth_destination. The destination is not an authorized destination so REJECT. Get it, it evaluates to REJECT! That you had permit_sasl_authenticated in smtpd_client_restrictions is irrelevant because this is a different restriction and they both need to evaluate to OK. -- Larry Stone lstone19(a)stonejongleux.com
From: Phil Howard on 8 Jun 2010 15:28 On Tue, Jun 8, 2010 at 13:06, Larry Stone <lstone19(a)stonejongleux.com> wrote: > And did you even read what I wrote? I am well aware you made a typo earlier. > I understand what you meant and said nothing about the mistake. I think this is a case of users being mixed up. I did not make the typo ... Dan did. I reported the typo. I am not having the problem with client vs. recipient ... Dan apparently was.
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: Postfix and Google Apps Next: email/postfix guru help needed, will compensate |