Postfix + stunnel SMTPS = address rewriting issue
in [Postfix]
|
Prev: different user levels receiving and sending
Next: smtpd_recipient_restrictions - Is PERMIT at the end advisable ?
From: Jack Browning on 28 May 2010 12:29 I'm using Postfix 2.5.1 on Ubuntu Server x64 8.04 LTS. I am attempting to use Postfix to relay non-local mail from my home network to ATT U-verse's SMTP server at smtp.att.yahoo.com:465. As recommended at the Postfix website (and elsewhere), I set up an stunnel client connection from my server (on localhost:2525) to the ATT server. Since ATT requires per-user authentication for outgoing mail, I turned on sender-dependent authentication and created a password map containing the authentication information for each user. The map looks like this: abc(a)att.net abc(a)att.net:abcpassword xyz(a)att.net xyz(a)att.net:xyzpassword I also have generic mapping turned on, with a generic map that looks like this: aaa(a)local.net abc(a)att.net bbb(a)local.net xyz(a)att.net Finally, I set Postfix's relayhost to [localhost]:2525. So far, so good. Here's the problem: everything works fine when I configure the From address in the user's e-mail client to the user's ATT address, e.g., abc(a)att.net. When, however, I configure the From address to the user's local address, e.g., aaa(a)local.net, that address doesn't get rewritten by the generic map. This causes authentication to fail because the password map lookup, which uses the ATT address as a key, fails. Whatever data Postfix returns for a failed password lookup is sent to the ATT server, and it, of course, rejects the authentication attempt. I'm curious as to why the generic map isn't working for mail sent to the relayhost. I suspect it has something to do with the fact that the stunnel connection (on localhost) is within $mydestination, and, hence, considered to be a local destination by the generic mapper (even though its designated as the relayhost). Also, I'm unclear about the order in which rewriting and password lookup take place. My gut feeling is that rewriting occurs before the lookup, so that the password lookup needs the ATT address as the key. Any insight on these issues would be greatly appreciated. TIA, Jack Browning
From: Wietse Venema on 28 May 2010 14:27 Jack Browning: > I'm curious as to why the generic map isn't working for mail sent to > the relayhost. Generic mapping is implemented in the Postfix SMTP client, so you need to configure the Postfix SMTP client appropriately. Setting the generic mapping on other Postfix programs has no effect. Wietse
From: Jack Browning on 1 Jun 2010 16:08 On Fri, May 28, 2010 at 1:27 PM, Wietse Venema <wietse(a)porcupine.org> wrote: > Jack Browning: >> I'm curious as to why the generic map isn't working for mail sent to >> the relayhost. > > Generic mapping is implemented in the Postfix SMTP client, so you > need to configure the Postfix SMTP client appropriately. Setting > the generic mapping on other Postfix programs has no effect. Perhaps there was a misunderstanding because of my description of the issue.. To connect to the ATT/U-verse SMTP server, I am using a variant of the configuration described at: http://www.postfix.org/TLS_README.html#client_smtps The only differences in my stunnel.conf and the stunnel.conf in the README are nominal, to wit: root(a)dell:/etc/init.d# cat /etc/stunnel/stunnel.conf client = yes foreground = no [att-smtps] accept = 2525 connect = smtp.att.yahoo.com:smtps My main.cf looks like this: root(a)dell:/etc/postfix# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = yes biff = no config_directory = /etc/postfix home_mailbox = Maildir/ inet_interfaces = all inet_protocols = all mailbox_size_limit = 104857600 message_size_limit = 52428800 mydestination = dell.jnjroos.net, localhost.jnjroos.net, localhost, jnjroos.net myhostname = dell.jnjroos.net mynetworks = 127.0.0.0/8, 192.168.0.0/24 myorigin = /etc/mailname queue_minfree = 78643200 relayhost = [localhost]:2525 smtp_generic_maps = hash:/etc/postfix/generic smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sender_dependent_authentication = yes smtp_use_tls = no smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) Note the relayhost specification, which, again, only differs nominally from the configuration stated in the README. Note, too, the specification of smtp_sasl_password_maps, which implements the sender-based authentication the remote server requires. Finally, note the specification of smtp_generic_maps, which I had hoped would rewrite the sender address for outgoing mail being delivered to the relayhost. "jnjroos.net" is, of course, a fantasy name for my local network. As I stated in my original post, everything works as it should when the local e-mail clients (Windows Live Mail and Sylpheed) are configured with the user's ATT e-mail address as the From address. Here is a redacted log excerpt for outgoing mail when the local clients are configured that way: Jun 1 13:42:28 dell postfix/smtpd[16260]: connect from asus.jnjroos.net[192.168.0.4] Jun 1 13:42:28 dell postfix/smtpd[16260]: 6E5C71C157: client=asus.jnjroos.net[192.168.0.4] Jun 1 13:42:28 dell postfix/cleanup[16263]: 6E5C71C157: message-id=<20100601134228.d563162f.xxxxxx(a)att.net> Jun 1 13:42:28 dell postfix/qmgr[16015]: 6E5C71C157: from=<xxxxxx(a)att.net>, size=828, nrcpt=1 (queue active) Jun 1 13:42:28 dell postfix/smtpd[16260]: disconnect from asus.jnjroos.net[192.168.0.4] Jun 1 13:42:29 dell postfix/smtp[16264]: 6E5C71C157: to=<yyyyyy(a)gmail.com>, relay=127.0.0.1[127.0.0.1]:2525, delay=1.3, delays=0.06/0/1/0.22, dsn=2.0.0, status=sent (250 OK , completed) Jun 1 13:42:29 dell postfix/qmgr[16015]: 6E5C71C157: removed As you can see, everything (including sender-based authentication) works, and the delivery to the remote host (via Postfix's SMTP client) is successful. Now, when I change the From address in the local e-mail clients to the user's local e-mail address, i.e., from xxxxxx(a)att.net to zzzzzz(a)jnjroos.net, this is what happens: Jun 1 14:17:24 dell postfix/smtpd[16469]: connect from asus.jnjroos.net[192.168.0.4] Jun 1 14:17:24 dell postfix/smtpd[16469]: B01C11C157: client=asus.jnjroos.net[192.168.0.4] Jun 1 14:17:24 dell postfix/cleanup[16472]: B01C11C157: message-id=<20100601141724.a4213911.zzzzzz(a)jnjroos.net> Jun 1 14:17:24 dell postfix/qmgr[16317]: B01C11C157: from=<zzzzzz(a)jnjroos.net>, size=850, nrcpt=1 (queue active) Jun 1 14:17:24 dell postfix/smtpd[16469]: disconnect from asus.jnjroos.net[192.168.0.4] Jun 1 14:17:25 dell postfix/smtp[16473]: B01C11C157: to=<yyyyyy(a)gmail.com>, relay=localhost[127.0.0.1]:2525, delay=0.28, delays=0.05/0.01/0.18/0.04, dsn=5.0.0, status=bounced (host localhost[127.0.0.1] said: 530 authentication required - for help go to http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html (in reply to MAIL FROM command)) Jun 1 14:17:25 dell postfix/cleanup[16472]: 2144A1C297: message-id=<20100601191725.2144A1C297(a)dell.jnjroos.net> Jun 1 14:17:25 dell postfix/bounce[16475]: B01C11C157: sender non-delivery notification: 2144A1C297 Jun 1 14:17:25 dell postfix/qmgr[16317]: 2144A1C297: from=<>, size=2825, nrcpt=1 (queue active) Jun 1 14:17:25 dell postfix/qmgr[16317]: B01C11C157: removed Jun 1 14:17:25 dell postfix/local[16476]: 2144A1C297: to=<zzzzzz(a)jnjroos.net>, relay=local, delay=0.02, delays=0.01/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to maildir) Jun 1 14:17:25 dell postfix/qmgr[16317]: 2144A1C297: removed No address rewriting is occurring even though Postfix is invoking its SMTP client to deliver the mail to the remote host, and my generic map (after postmap and a reload) contains an entry like this: zzzzzz(a)jnjroos.net xxxxxx(a)att.net I suspect that because the sender address is not being rewritten by the generic map the password lookup is also failing, so that a non-ATT sender address *and* garbage credentials are being sent to the remote server. I find this behavior quite perplexing, because generic mapping has worked flawlessly for me in the past, when my relayhost parameter pointed to an actual SMTP server with an Internet (as opposed to local) network address. The only difference this time around seems to be specifying the local endpoint of the stunnel connection as the relayhost. This the first time I've had to use sender-based authentication, so I have no experience with how it should be interacting with address rewriting. I hope this clarifies the issue I am facing. Again, I am using Postfix 2.5.1 on Ubuntu 8.04 x64 LTS. TIA, JEB
From: Noel Jones on 1 Jun 2010 16:16 On 6/1/2010 3:08 PM, Jack Browning wrote: > On Fri, May 28, 2010 at 1:27 PM, Wietse Venema<wietse(a)porcupine.org> wrote: >> Jack Browning: >>> I'm curious as to why the generic map isn't working for mail sent to >>> the relayhost. >> >> Generic mapping is implemented in the Postfix SMTP client, so you >> need to configure the Postfix SMTP client appropriately. Setting >> the generic mapping on other Postfix programs has no effect. > > Perhaps there was a misunderstanding because of my description of the issue. > > To connect to the ATT/U-verse SMTP server, I am using a variant of the > configuration described at: > > http://www.postfix.org/TLS_README.html#client_smtps > > The only differences in my stunnel.conf and the stunnel.conf in the > README are nominal, to wit: > > root(a)dell:/etc/init.d# cat /etc/stunnel/stunnel.conf > client = yes > foreground = no > > [att-smtps] > accept = 2525 > connect = smtp.att.yahoo.com:smtps > > My main.cf looks like this: > > root(a)dell:/etc/postfix# postconf -n > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > append_dot_mydomain = yes > biff = no > config_directory = /etc/postfix > home_mailbox = Maildir/ > inet_interfaces = all > inet_protocols = all > mailbox_size_limit = 104857600 > message_size_limit = 52428800 > mydestination = dell.jnjroos.net, localhost.jnjroos.net, localhost, jnjroos.net > myhostname = dell.jnjroos.net > mynetworks = 127.0.0.0/8, 192.168.0.0/24 > myorigin = /etc/mailname > queue_minfree = 78643200 > relayhost = [localhost]:2525 > smtp_generic_maps = hash:/etc/postfix/generic > smtp_sasl_auth_enable = yes > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > smtp_sasl_security_options = noanonymous > smtp_sender_dependent_authentication = yes > smtp_use_tls = no > smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) > > Note the relayhost specification, which, again, only differs nominally > from the configuration stated in the README. Note, too, the > specification of smtp_sasl_password_maps, which implements the > sender-based authentication the remote server requires. Finally, note > the specification of smtp_generic_maps, which I had hoped would > rewrite the sender address for outgoing mail being delivered to the > relayhost. "jnjroos.net" is, of course, a fantasy name for my local > network. > > As I stated in my original post, everything works as it should when > the local e-mail clients (Windows Live Mail and Sylpheed) are > configured with the user's ATT e-mail address as the From address. > Here is a redacted log excerpt for outgoing mail when the local > clients are configured that way: > > Jun 1 13:42:28 dell postfix/smtpd[16260]: connect from > asus.jnjroos.net[192.168.0.4] > Jun 1 13:42:28 dell postfix/smtpd[16260]: 6E5C71C157: > client=asus.jnjroos.net[192.168.0.4] > Jun 1 13:42:28 dell postfix/cleanup[16263]: 6E5C71C157: > message-id=<20100601134228.d563162f.xxxxxx(a)att.net> > Jun 1 13:42:28 dell postfix/qmgr[16015]: 6E5C71C157: > from=<xxxxxx(a)att.net>, size=828, nrcpt=1 (queue active) > Jun 1 13:42:28 dell postfix/smtpd[16260]: disconnect from > asus.jnjroos.net[192.168.0.4] > Jun 1 13:42:29 dell postfix/smtp[16264]: 6E5C71C157: > to=<yyyyyy(a)gmail.com>, relay=127.0.0.1[127.0.0.1]:2525, delay=1.3, > delays=0.06/0/1/0.22, dsn=2.0.0, status=sent (250 OK , completed) > Jun 1 13:42:29 dell postfix/qmgr[16015]: 6E5C71C157: removed > > As you can see, everything (including sender-based authentication) > works, and the delivery to the remote host (via Postfix's SMTP client) > is successful. > > Now, when I change the From address in the local e-mail clients to the > user's local e-mail address, i.e., from xxxxxx(a)att.net to > zzzzzz(a)jnjroos.net, this is what happens: > > Jun 1 14:17:24 dell postfix/smtpd[16469]: connect from > asus.jnjroos.net[192.168.0.4] > Jun 1 14:17:24 dell postfix/smtpd[16469]: B01C11C157: > client=asus.jnjroos.net[192.168.0.4] > Jun 1 14:17:24 dell postfix/cleanup[16472]: B01C11C157: > message-id=<20100601141724.a4213911.zzzzzz(a)jnjroos.net> > Jun 1 14:17:24 dell postfix/qmgr[16317]: B01C11C157: > from=<zzzzzz(a)jnjroos.net>, size=850, nrcpt=1 (queue active) > Jun 1 14:17:24 dell postfix/smtpd[16469]: disconnect from > asus.jnjroos.net[192.168.0.4] > Jun 1 14:17:25 dell postfix/smtp[16473]: B01C11C157: > to=<yyyyyy(a)gmail.com>, relay=localhost[127.0.0.1]:2525, delay=0.28, > delays=0.05/0.01/0.18/0.04, dsn=5.0.0, status=bounced (host > localhost[127.0.0.1] said: 530 authentication required - for help go > to http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html (in reply to > MAIL FROM command)) > Jun 1 14:17:25 dell postfix/cleanup[16472]: 2144A1C297: > message-id=<20100601191725.2144A1C297(a)dell.jnjroos.net> > Jun 1 14:17:25 dell postfix/bounce[16475]: B01C11C157: sender > non-delivery notification: 2144A1C297 > Jun 1 14:17:25 dell postfix/qmgr[16317]: 2144A1C297: from=<>, > size=2825, nrcpt=1 (queue active) > Jun 1 14:17:25 dell postfix/qmgr[16317]: B01C11C157: removed > Jun 1 14:17:25 dell postfix/local[16476]: 2144A1C297: > to=<zzzzzz(a)jnjroos.net>, relay=local, delay=0.02, > delays=0.01/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to maildir) > Jun 1 14:17:25 dell postfix/qmgr[16317]: 2144A1C297: removed > > No address rewriting is occurring even though Postfix is invoking its > SMTP client to deliver the mail to the remote host, and my generic map > (after postmap and a reload) contains an entry like this: > > zzzzzz(a)jnjroos.net xxxxxx(a)att.net > > I suspect that because the sender address is not being rewritten by > the generic map the password lookup is also failing, so that a non-ATT > sender address *and* garbage credentials are being sent to the remote > server. > > I find this behavior quite perplexing, because generic mapping has > worked flawlessly for me in the past, when my relayhost parameter > pointed to an actual SMTP server with an Internet (as opposed to > local) network address. The only difference this time around seems to > be specifying the local endpoint of the stunnel connection as the > relayhost. > > This the first time I've had to use sender-based authentication, so I > have no experience with how it should be interacting with address > rewriting. > > I hope this clarifies the issue I am facing. Again, I am using Postfix > 2.5.1 on Ubuntu 8.04 x64 LTS. > > TIA, > JEB Add a password map entry for the local unwritten address.
From: Jack Browning on 1 Jun 2010 17:20
On Tue, Jun 1, 2010 at 3:16 PM, Noel Jones <njones(a)megan.vbhcs.org> wrote: > Add a password map entry for the local unwritten address. Wow. That's all it took. Case closed. I will try and decipher why that worked off-list. Thanks, man. JEB |