having trouble getting permit_sasl_authenticated to work
in [Postfix]
|
From: mike.selner on 21 Feb 2007 08:55 Hi, I've got postfix 2.3.7 on freebsd 6.2 with SASL auth. I want to test sasl authentication only, so I don't have permit_mynetworks configured. Client is in the same subnet as server, but mynetworks_style=host, so the client is not in "mynetworks" The goal is to permit sasl authenticated clients only to send mail via this server. In other words I don't need to permit_mynetworks in this case. Adding permit_mynetworks to my smtpd_client_restrictions did not change the behavior. I am able to authenticate my client using sasl, but I am not able to send mail. I am getting a relay denied message. The log shows that I am authenticating successfully, but then it shows: generic_checks: name=permit_sasl_authenticated status=1 (what do the status codes mean?) Here is the postconf -n: command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix debug_peer_level = 1 home_mailbox = Maildir/ html_directory = no mail_owner = postfix mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man mydestination = $myhostname, localhost.$mydomain, localhost mynetworks_style = host newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = smtpd unknown_local_recipient_reject_code = 550 master.cf just has the default smtp entry appended with "-v" for debug Here is the SMTP transcript: $ telnet 10.0.0.66 25 Trying 10.0.0.66... Connected to 10.0.0.66. Escape character is '^]'. 220 dell1.tela.com ESMTP Postfix ehlo my.test.client 250-dell1.tela.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN bWlrZQBtaWtlAG1pa2U= 235 2.0.0 Authentication successful mail from:<mike(a)dell1.tela.com> 250 2.1.0 Ok rcpt to:<anyone(a)yahoo.com> 554 5.7.1 <anyone(a)yahoo.com>: Relay access denied quit 221 2.0.0 Bye Connection closed by foreign host. The postfix log shows: dict_eval: const mail dict_eval: const ipv4 name_mask: ipv4 dict_eval: const dell1.tela.com dict_eval: const tela.com dict_eval: const Postfix dict_eval: const postfix dict_eval: const postfix dict_eval: const maildrop dict_eval: expand $myhostname, localhost.$mydomain, localhost -> dell1.tela.com, localhost.tela.com, localhost dict_eval: expand $myhostname -> dell1.tela.com dict_eval: const dict_eval: const /usr/local/libexec/postfix dict_eval: const /usr/local/sbin dict_eval: const /var/spool/postfix dict_eval: const pid dict_eval: const all dict_eval: const dict_eval: const double-bounce dict_eval: const nobody dict_eval: const hash:/etc/aliases dict_eval: const 20070130 dict_eval: const 2.3.7 dict_eval: const hash dict_eval: const deferred, defer dict_eval: const dict_eval: expand $mydestination -> dell1.tela.com, localhost.tela.com, localhost dict_eval: expand $relay_domains -> dell1.tela.com, localhost.tela.com, localhost dict_eval: const TZ MAIL_CONFIG LANG dict_eval: const MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C dict_eval: const host dict_eval: const dict_eval: const += dict_eval: const -=+ dict_eval: const debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps dict_eval: const dict_eval: const bounce dict_eval: const cleanup dict_eval: const defer dict_eval: const pickup dict_eval: const qmgr dict_eval: const rewrite dict_eval: const showq dict_eval: const error dict_eval: const flush dict_eval: const verify dict_eval: const trace dict_eval: const dict_eval: const 1 dict_eval: const 100s message repeated 3 times dict_eval: const 3600s dict_eval: const 3600s dict_eval: const 100s dict_eval: const 100s dict_eval: const 1000s dict_eval: const 1000s dict_eval: const 10s dict_eval: const 10s dict_eval: const 1s message repeated 3 times dict_eval: const 500s dict_eval: const 500s dict_eval: const 18000s dict_eval: const 18000s dict_eval: const 1s dict_eval: const 1s name_mask: host inet_addr_local: configured 3 IPv4 addresses been_here: 10.0.0.66/32: 0 been_here: 127.0.0.1/32: 0 been_here: 192.168.0.1/32: 0 mynetworks: 10.0.0.66/32 127.0.0.1/32 192.168.0.1/32 dict_eval: const 10.0.0.66/32 127.0.0.1/32 192.168.0.1/32 dict_eval: const 550 dict_eval: expand $myhostname ESMTP $mail_name -> dell1.tela.com ESMTP Postfix dict_eval: const resource, software dict_eval: const permit_sasl_authenticated, reject_unauth_destination dict_eval: const dict_eval: const dict_eval: const permit_mynetworks, reject_unauth_destination dict_eval: const message repeated 4 times dict_eval: const postmaster dict_eval: const message repeated 2 times dict_eval: expand $virtual_maps -> dict_eval: const dict_eval: const hash:/etc/aliases dict_eval: expand proxy:unix:passwd.byname $alias_maps -> proxy:unix:passwd.byname hash:/etc/aliases dict_eval: const noanonymous dict_eval: const smtpd dict_eval: expand $myhostname -> dell1.tela.com dict_eval: const message repeated 4 times dict_eval: const CONNECT GET POST dict_eval: const <> dict_eval: const dict_eval: const postmaster dict_eval: expand $authorized_verp_clients -> dict_eval: const dict_eval: expand $myhostname -> dell1.tela.com dict_eval: const message repeated 2 times dict_eval: expand ${smtpd_client_connection_limit_exceptions: $mynetworks} -> 10.0.0.66/32 127.0.0.1/32 192.168.0.1/32 dict_eval: const permit_inet_interfaces dict_eval: const message repeated 2 times dict_eval: expand $smtpd_sasl_security_options -> noanonymous dict_eval: const dict_eval: expand $smtpd_tls_cert_file -> dict_eval: const dict_eval: expand $smtpd_tls_dcert_file -> dict_eval: const dict_eval: const dict_eval: const medium dict_eval: const dict_eval: const dict_eval: const ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH dict_eval: const ALL:!EXPORT:!LOW:+RC4:@STRENGTH dict_eval: const ALL:!EXPORT:+RC4:@STRENGTH dict_eval: const ALL:+RC4:@STRENGTH dict_eval: const !aNULL:eNULL+kRSA dict_eval: const SSLv3, TLSv1 dict_eval: const message repeated 2 times dict_eval: const cyrus dict_eval: const dict_eval: const j {daemon_name} v dict_eval: const {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer} dict_eval: const i {auth_type} {auth_authen} {auth_author} {mail_addr} dict_eval: const i {rcpt_addr} dict_eval: const i dict_eval: const i dict_eval: const dict_eval: const 2 dict_eval: const tempfail dict_eval: expand $myhostname -> dell1.tela.com dict_eval: expand $mail_name $mail_version -> Postfix 2.3.7 dict_eval: const yes dict_eval: const yes dict_eval: const 300s dict_eval: const 300s dict_eval: const 1s dict_eval: const 1s dict_eval: const 100s dict_eval: const 100s dict_eval: const 3s dict_eval: const 3s dict_eval: const 100s dict_eval: const 100s dict_eval: const 300s dict_eval: const 300s dict_eval: const 1000s dict_eval: const 1000s dict_eval: const 300s dict_eval: const 300s dict_eval: const 3600s dict_eval: const 3600s dict_eval: const 30s message repeated 3 times dict_eval: const 300s dict_eval: const 300s process generation: 7 (7) match_string: mynetworks ~? debug_peer_list match_string: mynetworks ~? fast_flush_domains match_string: mynetworks ~? mynetworks match_string: relay_domains ~? debug_peer_list match_string: relay_domains ~? fast_flush_domains match_string: relay_domains ~? mynetworks match_string: relay_domains ~? permit_mx_backup_networks match_string: relay_domains ~? qmqpd_authorized_clients match_string: relay_domains ~? relay_domains match_string: permit_mx_backup_networks ~? debug_peer_list match_string: permit_mx_backup_networks ~? fast_flush_domains match_string: permit_mx_backup_networks ~? mynetworks match_string: permit_mx_backup_networks ~? permit_mx_backup_networks connect to subsystem private/proxymap send attr request = open send attr table = unix:passwd.byname send attr flags = 16448 private/proxymap socket: wanted attribute: status input attribute name: status input attribute value: 0 private/proxymap socket: wanted attribute: flags input attribute name: flags input attribute value: 16464 private/proxymap socket: wanted attribute: (list terminator) input attribute name: (end) dict_proxy_open: connect to map=unix:passwd.byname status=0 server_flags=fixed|lock|fold_fix dict_open: proxy:unix:passwd.byname Compiled against Berkeley DB version 1 dict_open: hash:/etc/aliases match_string: smtpd_access_maps ~? debug_peer_list match_string: smtpd_access_maps ~? fast_flush_domains match_string: smtpd_access_maps ~? mynetworks match_string: smtpd_access_maps ~? permit_mx_backup_networks match_string: smtpd_access_maps ~? qmqpd_authorized_clients match_string: smtpd_access_maps ~? relay_domains match_string: smtpd_access_maps ~? smtpd_access_maps xsasl_cyrus_server_init: SASL config file is smtpd.conf match_string: fast_flush_domains ~? debug_peer_list match_string: fast_flush_domains ~? fast_flush_domains auto_clnt_create: transport=local endpoint=private/anvil connection established master_notify: status 0 name_mask: resource name_mask: software xsasl_cyrus_server_create: SASL service=smtp, realm=dell1.tela.com name_mask: noanonymous connect from unknown[10.0.0.102] match_list_match: unknown: no match match_list_match: 10.0.0.102: no match match_list_match: unknown: no match match_list_match: 10.0.0.102: no match match_hostname: unknown ~? 10.0.0.66/32 match_hostaddr: 10.0.0.102 ~? 10.0.0.66/32 match_hostname: unknown ~? 127.0.0.1/32 match_hostaddr: 10.0.0.102 ~? 127.0.0.1/32 match_hostname: unknown ~? 192.168.0.1/32 match_hostaddr: 10.0.0.102 ~? 192.168.0.1/32 match_list_match: unknown: no match match_list_match: 10.0.0.102: no match auto_clnt_open: connected to private/anvil send attr request = connect send attr ident = smtp:10.0.0.102 private/anvil: wanted attribute: status input attribute name: status input attribute value: 0 private/anvil: wanted attribute: count input attribute name: count input attribute value: 1 private/anvil: wanted attribute: rate input attribute name: rate input attribute value: 1 private/anvil: wanted attribute: (list terminator) input attribute name: (end) > unknown[10.0.0.102]: 220 dell1.tela.com ESMTP Postfix < unknown[10.0.0.102]: ehlo my.test.client > unknown[10.0.0.102]: 250-dell1.tela.com > unknown[10.0.0.102]: 250-PIPELINING > unknown[10.0.0.102]: 250-SIZE 10240000 > unknown[10.0.0.102]: 250-VRFY > unknown[10.0.0.102]: 250-ETRN match_list_match: unknown: no match match_list_match: 10.0.0.102: no match > unknown[10.0.0.102]: 250-AUTH LOGIN PLAIN > unknown[10.0.0.102]: 250-ENHANCEDSTATUSCODES > unknown[10.0.0.102]: 250-8BITMIME > unknown[10.0.0.102]: 250 DSN < unknown[10.0.0.102]: AUTH PLAIN bWlrZQBtaWtlAG1pa2U= xsasl_cyrus_server_first: sasl_method PLAIN, init_response bWlrZQBtaWtlAG1pa2U= xsasl_cyrus_server_first: decoded initial response mike > unknown[10.0.0.102]: 235 2.0.0 Authentication successful < unknown[10.0.0.102]: mail from:<mike(a)dell1.tela.com> extract_addr: input: <mike(a)dell1.tela.com> smtpd_check_addr: addr=mike(a)dell1.tela.com connect to subsystem private/rewrite send attr request = rewrite send attr rule = local send attr address = mike(a)dell1.tela.com private/rewrite socket: wanted attribute: flags input attribute name: flags input attribute value: 0 private/rewrite socket: wanted attribute: address input attribute name: address input attribute value: mike(a)dell1.tela.com private/rewrite socket: wanted attribute: (list terminator) input attribute name: (end) rewrite_clnt: local: mike(a)dell1.tela.com -> mike(a)dell1.tela.com send attr request = resolve send attr sender = send attr address = mike(a)dell1.tela.com private/rewrite socket: wanted attribute: flags input attribute name: flags input attribute value: 0 private/rewrite socket: wanted attribute: transport input attribute name: transport input attribute value: local private/rewrite socket: wanted attribute: nexthop input attribute name: nexthop input attribute value: dell1.tela.com private/rewrite socket: wanted attribute: recipient input attribute name: recipient input attribute value: mike(a)dell1.tela.com private/rewrite socket: wanted attribute: flags input attribute name: flags input attribute value: 256 private/rewrite socket: wanted attribute: (list terminator) input attribute name: (end) resolve_clnt: `' -> `mike(a)dell1.tela.com' -> transp=`local' host=`dell1.tela.com' rcpt=`mike(a)dell1.tela.com' flags= class=local ctable_locate: install entry key mike(a)dell1.tela.com extract_addr: in: <mike(a)dell1.tela.com>, result: mike(a)dell1.tela.com fsspace: .: block size 2048, blocks free 4951980 smtpd_check_queue: blocks 2048 avail 4951980 min_free 0 msg_size_limit 10240000 > unknown[10.0.0.102]: 250 2.1.0 Ok < unknown[10.0.0.102]: rcpt to:<anyone(a)yahoo.com> extract_addr: input: <anyone(a)yahoo.com> smtpd_check_addr: addr=anyone(a)yahoo.com send attr request = rewrite send attr rule = local send attr address = anyone(a)yahoo.com private/rewrite socket: wanted attribute: flags input attribute name: flags input attribute value: 0 private/rewrite socket: wanted attribute: address input attribute name: address input attribute value: anyone(a)yahoo.com private/rewrite socket: wanted attribute: (list terminator) input attribute name: (end) rewrite_clnt: local: anyone(a)yahoo.com -> anyone(a)yahoo.com send attr request = resolve send attr sender = send attr address = anyone(a)yahoo.com private/rewrite socket: wanted attribute: flags input attribute name: flags input attribute value: 0 private/rewrite socket: wanted attribute: transport input attribute name: transport input attribute value: smtp private/rewrite socket: wanted attribute: nexthop input attribute name: nexthop input attribute value: yahoo.com private/rewrite socket: wanted attribute: recipient input attribute name: recipient input attribute value: anyone(a)yahoo.com private/rewrite socket: wanted attribute: flags input attribute name: flags input attribute value: 4096 private/rewrite socket: wanted attribute: (list terminator) input attribute name: (end) resolve_clnt: `' -> `anyone(a)yahoo.com' -> transp=`smtp' host=`yahoo.com' rcpt=`anyone(a)yahoo.com' flags= class=default ctable_locate: install entry key anyone(a)yahoo.com extract_addr: in: <anyone(a)yahoo.com>, result: anyone(a)yahoo.com send attr request = rewrite send attr rule = local send attr address = postmaster private/rewrite socket: wanted attribute: flags input attribute name: flags input attribute value: 0 private/rewrite socket: wanted attribute: address input attribute name: address input attribute value: postmaster(a)dell1.tela.com private/rewrite socket: wanted attribute: (list terminator) input attribute name: (end) rewrite_clnt: local: postmaster -> postmaster(a)dell1.tela.com >>> START Client host RESTRICTIONS <<< generic_checks: name=permit_sasl_authenticated generic_checks: name=permit_sasl_authenticated status=1 >>> START Recipient address RESTRICTIONS <<< generic_checks: name=permit_mynetworks permit_mynetworks: unknown 10.0.0.102 match_hostname: unknown ~? 10.0.0.66/32 match_hostaddr: 10.0.0.102 ~? 10.0.0.66/32 match_hostname: unknown ~? 127.0.0.1/32 match_hostaddr: 10.0.0.102 ~? 127.0.0.1/32 match_hostname: unknown ~? 192.168.0.1/32 match_hostaddr: 10.0.0.102 ~? 192.168.0.1/32 match_list_match: unknown: no match match_list_match: 10.0.0.102: no match generic_checks: name=permit_mynetworks status=0 generic_checks: name=reject_unauth_destination reject_unauth_destination: anyone(a)yahoo.com permit_auth_destination: anyone(a)yahoo.com ctable_locate: leave existing entry key anyone(a)yahoo.com NOQUEUE: reject: RCPT from unknown[10.0.0.102]: 554 5.7.1 <anyone(a)yahoo.com>: Relay access denied; from=<mike(a)dell1.tela.com> to=<anyone(a)yahoo.com> proto=ESMTP helo=<my.test.client> generic_checks: name=reject_unauth_destination status=2 > unknown[10.0.0.102]: 554 5.7.1 <anyone(a)yahoo.com>: Relay access denied < unknown[10.0.0.102]: quit > unknown[10.0.0.102]: 221 2.0.0 Bye match_hostname: unknown ~? 10.0.0.66/32 match_hostaddr: 10.0.0.102 ~? 10.0.0.66/32 match_hostname: unknown ~? 127.0.0.1/32 match_hostaddr: 10.0.0.102 ~? 127.0.0.1/32 match_hostname: unknown ~? 192.168.0.1/32 match_hostaddr: 10.0.0.102 ~? 192.168.0.1/32 match_list_match: unknown: no match match_list_match: 10.0.0.102: no match send attr request = disconnect send attr ident = smtp:10.0.0.102 private/anvil: wanted attribute: status input attribute name: status input attribute value: 0 private/anvil: wanted attribute: (list terminator) input attribute name: (end) disconnect from unknown[10.0.0.102] master_notify: status 1 connection closed proxymap stream disconnect rewrite stream disconnect idle timeout -- exiting ------ I also set up another server with the same setup but using dovecot sasl auth instead with postfix and I had the same relay denied problem. Any help is appreciated! Mike
|
Pages: 1 Prev: Is the Message-ID value case sensitive? Next: POSTFIX QUEUE ACTIVE |