On Mon, Mar 11, 2024 at 03:17:01PM -0700, Glenn Tenney via Postfix-users wrote:
> So, the actual SASL login is "auser"? (which is what I've told gmail > to use to login) I don't know what it is, the logs will tell the true story. Please post both the "client=" and the "reject:" log entries for one one the failed attempts from Gmail to use your server as an outbound relay. > > No, the issue is the content of your sender login table. > > My current guess is that the virtual or senderlogin files are wrong > and that's my problem... The actual problem was stated above, I'm puzzled why you're still "guessing"... > Sorry, I forgot to include the contents of my smtpd_sender_login_maps file: > # senderlogin > au...@domain.name auser > au...@machine.domain.name auser The reject message in your original post was: Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE: reject: RCPT from mail-oo1-f41.google.com[209.85.161.41]: 553 5.7.1 <au...@domain.name>: Sender address rejected: not owned by user auser; from=<au...@domain.name> to=<anotheru...@anotherdomain.name> proto=ESMTP helo=<mail-oo1-f41.google.com> Which means that the lookup key "au...@domain.name" does not in fact map to "auser" in the indexed (hash table) file: smtpd_sender_login_maps = hash:/usr/local/etc/postfix/senderlogin You can examine the hash table with: postmap -q au...@domain.name hash:/usr/local/etc/postfix/senderlogin > And here's /etc/virtual (again, my best guess of what it should be) Irrelevant to the reported problem. > > If you post also the "client=" log entry for the transaction of > > interest, the "postconf -Mf" output and the content of the sender login > > table, more help will be possible. > > I don't see "client=" anywhere in the logs... but here's the "postconf > -Mf" after making the changes you suggested above: Well, it has to be there, unless your syslog configuration filters it out. Here's an example (long line folded) from my system: Mar 10 18:28:39 amnesiac postfix/submission/smtpd[555754]: 00D8B893CE0: client=<censored>, sasl_method=<censored>, sasl_username=<censored> > submission inet n - n - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls_wrappermode=no > -o smtpd_tls_security_level=may > -o smtpd_sasl_auth_enable=yes > -o > smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject > -o milter_macro_daemon_name=ORIGINATING > -o smtpd_sasl_type=dovecot > -o smtpd_sasl_path=private/auth > -o smtpd_sasl_security_options=noanonymous > -o smtpd_sasl_local_domain=$myhostname > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > -o smtpd_sender_login_maps=hash:/etc/virtual > -o smtpd_sender_restrictions=reject_sender_login_mismatch This is where you're requiring the envelope sender address to match the expected login, and have for no particular reason included: > -o smtpd_sender_login_maps=hash:/etc/virtual Which explains the source of the problem. Just remove that erroneous setting. The virtual(5) alias table is not your sender -> sasl login table. You should also remove the "smtpd_sasl_auth_enable = yes" from "mail.cf", leaving just the "-o smtpd_sasl_auth_enable=yes" above, and in main.cf set: smtpd_tls_auth_only = yes Also in the above submission service set: smtpd_tls_security_level=encrypt (not "may"). -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org