From: Stefan Foerster on 18 Jul 2010 06:14 Given: A dedicated Postfix instance, configured to accept mails from SASL authenticated users. It seems that unlike access(5) maps, the lookup for smtpd_sender_login_maps for addresses which contain $recipient_delimiter is not tried at all without the extension: # postmulti -i postfix-sasl -x postconf recipient_delimiter smtpd_sender_login_maps recipient_delimiter = + smtpd_sender_login_maps = proxy:pgsql:${maps_dir}/sasl-maps.pgsql # maps_dir=/etc/postfix-sasl/maps # postmap -q sfoerster(a)incertum.net pgsql:${maps_dir}/sasl-maps.restricted cite # postmap -q sfoerster+test(a)incertum.net pgsql:${maps_dir}/sasl-maps.restricted # swaks -t sfoerster(a)incertum.net -f sfoerster+test(a)incertum.net -tls -s saslhub.kvm \ > -p 587 -tls -au cite -ap secret 2>&1 | grep "not owned" <~* 553 5.7.1 <sfoerster+test(a)incertum.net>: Sender address rejected: not owned by user cite "(Note: "swaks" is an SMTP testing tool. The "-f" parameter to swaks sets the address used in the "mail from:<...>" command). Without the address extension, the user is able to relay just fine. While the solution is obvious in my case (modify the SQL query), may I request a new feature in Postfix that performs lookups in smtpd_sender_login_maps in the same matter as lookups in an access(5) table are done, with regards to address extensions? Oh, BTW: Multi-instance support is a terrific feature. Cheers Stefan P.S: I don't really want to get into an argument about why anyone nowadays would need address extensions. If the general consensus on this list is that address extensions are only needed for mailing lists, I will quietly rest my case.
From: Stefan Foerster on 18 Jul 2010 06:16 * Stefan Foerster <cite+postfix-users(a)incertum.net>: > # postmulti -i postfix-sasl -x postconf recipient_delimiter smtpd_sender_login_maps > recipient_delimiter = + > smtpd_sender_login_maps = proxy:pgsql:${maps_dir}/sasl-maps.pgsql Damn. While editing, I accidentally deleted the ".restricted" at the end of this line. Of course, Postfix and my manual tests use the exact same lookup maps. Stefan
From: Victor Duchovni on 19 Jul 2010 11:48 On Sun, Jul 18, 2010 at 12:14:17PM +0200, Stefan Foerster wrote: > Given: A dedicated Postfix instance, configured to accept mails from > SASL authenticated users. It seems that unlike access(5) maps, the > lookup for smtpd_sender_login_maps for addresses which contain > $recipient_delimiter is not tried at all without the extension: This is false. Exactly the same code handles access table lookups as sender login lookups, only the interpretation of the results is different. > # postmap -q sfoerster(a)incertum.net ... Partial key lookups are not implemented in postmap, which performs exactly the requested query. Your test is invalid. -- Viktor.
From: Stefan Foerster on 20 Jul 2010 00:17 * Victor Duchovni <Victor.Duchovni(a)morganstanley.com>: > On Sun, Jul 18, 2010 at 12:14:17PM +0200, Stefan Foerster wrote: > > > Given: A dedicated Postfix instance, configured to accept mails from > > SASL authenticated users. It seems that unlike access(5) maps, the > > lookup for smtpd_sender_login_maps for addresses which contain > > $recipient_delimiter is not tried at all without the extension: > > This is false. Exactly the same code handles access table lookups as ^^^^^^^^^^^^^^^^^^^^^ > sender login lookups, only the interpretation of the results is different. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This is in no way meant as an "ad hominem" attack, but while the above is probably 100% correct, it is neither helpful nor purposeful. > > # postmap -q sfoerster(a)incertum.net ... > > Partial key lookups are not implemented in postmap, which performs > exactly the requested query. Your test is invalid. I could have shown you the whole database, and the queries. Instead, I chose to demonstrate that the address without extension was indeed owned be the user who performed a SASL authentication. This is by no means invalid but was simply intended to keep the mail short. I'd still love to see Postfix interpreting the results of any sender login lookups in the same way as access table lookups, with regards to address extensions. Stefan
From: Victor Duchovni on 20 Jul 2010 11:48
On Tue, Jul 20, 2010 at 06:17:52AM +0200, Stefan Foerster wrote: > * Victor Duchovni <Victor.Duchovni(a)morganstanley.com>: > > On Sun, Jul 18, 2010 at 12:14:17PM +0200, Stefan Foerster wrote: > > > > > Given: A dedicated Postfix instance, configured to accept mails from > > > SASL authenticated users. It seems that unlike access(5) maps, the > > > lookup for smtpd_sender_login_maps for addresses which contain > > > $recipient_delimiter is not tried at all without the extension: > > > > This is false. Exactly the same code handles access table lookups as > > sender login lookups, only the interpretation of the results is different. > > This is in no way meant as an "ad hominem" attack, but while the above > is probably 100% correct, it is neither helpful nor purposeful. If you have specified a recipient delimiter, the smtpd(8) server will use the sender address with and without the extension. This is true at least as far back as Postfix 2.5. Feel free to post "smtpd -v" or "debug_peer_list" verbose logging to prove otherwise. The logs of which queries are made look (system-dependent) like: postfix/smtpd[pid]: maps_find: ... > > Partial key lookups are not implemented in postmap, which performs > > exactly the requested query. Your test is invalid. > > I could have shown you the whole database, and the queries. That's nice, by the lookup code path is still the same... Only the parsing of the lookup result is different. -- Viktor. |