Prev: Postfix and Google Apps
Next: email/postfix guru help needed, will compensate
From: Wietse Venema on 4 Jun 2010 17:16
Dan Burkland:
> Hello all,
>
> I have been trying to setup my Postfix server as follows:
>
> a) Clients need to use STARTTLS + Authentication in order to send mail using my SMTP Server. They can only submit mail on port 587 (25 for submission is disallowed).
> b) Port 25 is to be used for MTA-to-MTA communication and should still accept mail for all domains that my server is the final destination for.
>
> I have attempted at setting this up however I am unable to send mail to external domains. I am now prevented from sending mail through 25 as designed and can still however send to myself (or other recipients that are hosted on my server). I would appreciate any insight regarding my goal as previously described.
>
> Relevant configuration entries:
>
> -------main.cf--------
> smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
>
> -------master.cf-------
> submission inet n - n - - smtpd
> -o smtpd_enforce_tls=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_sasl_type=dovecot
> -o smtpd_sasl_path=private/auth
> -o smtpd_client_restrictions_permit_sasl_authenticated,reject

You need -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
to get relay permissions.

Wietse

> Any insight is greatly appreciated!
>
> Thanks again,
>
> Dan
>
>

From: Phil Howard on 4 Jun 2010 17:26
On Fri, Jun 4, 2010 at 17:16, Wietse Venema <wietse(a)porcupine.org> wrote:

> You need -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> to get relay permissions.

Is that for the submission entry or the smtp entry (that he didn't
provide)? It looks to me like he used mostly the example for
submission. But he did change smtpd_recipient_restrictions in
main.cf, so I'm guessing that's why it needs to be added. It seems
like it would need to be added to the submission entry, yet he was
describing problems with port 25.

From: Wietse Venema on 4 Jun 2010 17:35
Phil Howard:
> On Fri, Jun 4, 2010 at 17:16, Wietse Venema <wietse(a)porcupine.org> wrote:
>
> > You need -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> > to get relay permissions.
>
> Is that for the submission entry or the smtp entry (that he didn't
> provide)?

Allow me to place my advice in context:

> -------main.cf--------
> smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
> -------master.cf-------
> submission inet n - n - - smtpd
> -o smtpd_enforce_tls=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_sasl_type=dovecot
> -o smtpd_sasl_path=private/auth
> -o smtpd_client_restrictions_permit_sasl_authenticated,reject

You need -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
to get relay permissions.

Given the full context, I think that there is no need for confusion.

Wietse

From: Sahil Tandon on 4 Jun 2010 18:31
On Fri, 04 Jun 2010, Dan Burkland wrote:

> Relevant configuration entries:
>
> -------main.cf--------
> smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
^^^^^^^^^

> -------master.cf-------
> submission inet n - n - - smtpd
> -o smtpd_enforce_tls=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_sasl_type=dovecot
> -o smtpd_sasl_path=private/auth
> -o smtpd_client_restrictions_permit_sasl_authenticated,reject
^^^^^^

You might have incorrectly assumed that if one restriction list
evaluates to OK, that the following restriction lists are skipped. This
is not the case. You OK the SASL authenticated client in
smtpd_client_restrictions, but then smtpd_recipient_restrictions are
still evluated based on the definition in main.cf. For a better
understanding, review SMTPD_ACCESS_README.

--
Sahil Tandon <sahil(a)FreeBSD.org>

From: Phil Howard on 8 Jun 2010 09:08
On Fri, Jun 4, 2010 at 18:31, Sahil Tandon <sahil(a)freebsd.org> wrote:
> On Fri, 04 Jun 2010, Dan Burkland wrote:
>
>> Relevant configuration entries:
>>
>> -------main.cf--------
>> smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
>        ^^^^^^^^^
>
>> -------master.cf-------
>> submission    inet    n       -       n       -       -       smtpd
>>       -o smtpd_enforce_tls=yes
>>       -o smtpd_sasl_auth_enable=yes
>>       -o smtpd_sasl_type=dovecot
>>       -o smtpd_sasl_path=private/auth
>>       -o smtpd_client_restrictions_permit_sasl_authenticated,reject
>                 ^^^^^^
>
> You might have incorrectly assumed that if one restriction list
> evaluates to OK, that the following restriction lists are skipped.  This
> is not the case.  You OK the SASL authenticated client in
> smtpd_client_restrictions, but then smtpd_recipient_restrictions are
> still evluated based on the definition in main.cf.  For a better
> understanding, review SMTPD_ACCESS_README.

I'm assuming that:

-o smtpd_client_restrictions_permit_sasl_authenticated,reject

is intended to be:

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: Postfix and Google Apps
Next: email/postfix guru help needed, will compensate