On Mon, Mar 11, 2024 at 03:17:01PM -0700, Glenn Tenney via Postfix-users wrote:
> So, the actual SASL login is "auser"? (which is what I've told gmail
> to use to login)
I don't know what it is, the logs will tell the true story. Please post
both the "client=" and the "reject:" log entries for one one the failed
attempts from Gmail to use your server as an outbound relay.
> > No, the issue is the content of your sender login table.
>
> My current guess is that the virtual or senderlogin files are wrong
> and that's my problem...
The actual problem was stated above, I'm puzzled why you're still
"guessing"...
> Sorry, I forgot to include the contents of my smtpd_sender_login_maps file:
> # senderlogin
> au...@domain.name auser
> au...@machine.domain.name auser
The reject message in your original post was:
Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE:
reject: RCPT from mail-oo1-f41.google.com[209.85.161.41]: 553 5.7.1
<au...@domain.name>: Sender address rejected: not owned by user auser;
from=<au...@domain.name> to=<anotheru...@anotherdomain.name>
proto=ESMTP helo=<mail-oo1-f41.google.com>
Which means that the lookup key "au...@domain.name" does not in fact map
to "auser" in the indexed (hash table) file:
smtpd_sender_login_maps = hash:/usr/local/etc/postfix/senderlogin
You can examine the hash table with:
postmap -q au...@domain.name hash:/usr/local/etc/postfix/senderlogin
> And here's /etc/virtual (again, my best guess of what it should be)
Irrelevant to the reported problem.
> > If you post also the "client=" log entry for the transaction of
> > interest, the "postconf -Mf" output and the content of the sender login
> > table, more help will be possible.
>
> I don't see "client=" anywhere in the logs... but here's the "postconf
> -Mf" after making the changes you suggested above:
Well, it has to be there, unless your syslog configuration filters it
out. Here's an example (long line folded) from my system:
Mar 10 18:28:39 amnesiac postfix/submission/smtpd[555754]:
00D8B893CE0: client=<censored>, sasl_method=<censored>,
sasl_username=<censored>
> submission inet n - n - - smtpd
> -o syslog_name=postfix/submission
> -o smtpd_tls_wrappermode=no
> -o smtpd_tls_security_level=may
> -o smtpd_sasl_auth_enable=yes
> -o
> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
> -o smtpd_sasl_type=dovecot
> -o smtpd_sasl_path=private/auth
> -o smtpd_sasl_security_options=noanonymous
> -o smtpd_sasl_local_domain=$myhostname
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o smtpd_sender_login_maps=hash:/etc/virtual
> -o smtpd_sender_restrictions=reject_sender_login_mismatch
This is where you're requiring the envelope sender address to match the
expected login, and have for no particular reason included:
> -o smtpd_sender_login_maps=hash:/etc/virtual
Which explains the source of the problem. Just remove that erroneous
setting. The virtual(5) alias table is not your sender -> sasl login
table.
You should also remove the "smtpd_sasl_auth_enable = yes" from
"mail.cf", leaving just the "-o smtpd_sasl_auth_enable=yes" above, and
in main.cf set:
smtpd_tls_auth_only = yes
Also in the above submission service set:
smtpd_tls_security_level=encrypt
(not "may").
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
