--- In [email protected], Victor Duchovni <victor.ducho...@...> wrote:
>
> On Wed, Jan 14, 2009 at 11:15:54PM -0000, jeff_homeip wrote:
>
> > I think I've misunderstood this again. here's the behavior I observed:
> >
> > I added -o
smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch to
> > my master.cf smtp service entry (receiving mail on port 25).
> >
> > It then rejected all mail. Each message was rejected because the sender was
> > not
> > authenticated.
>
> You should not really expect us to help you with this with no log entries,
> associated postconf -n, and actual master.cf entries.
I'm always happy to provide whatever might be helpful, and yet always conscious
of
excessively long messages. I generally don't post postconf -n in its entirety
for that and
disclosure reasons (yes, I'm paranoid). But I try to give the relevant entries
and anything
else you think will help.
>
>
> > The behavior I was seeking was that it would reject messages where
> > the MAIL FROM is one of the addresses that validly authenticates.
>
> The reject_unauthenticated_sender_login_mismatch feature only rejects
> addresses listed in the smtpd_sender_logim_maps table:
>
> /*
> * Reject if the client is not logged in and the sender address has an
> * owner.
> */
> if (smtpd_sasl_is_active(state) && state->sasl_username == 0) {
> reply = (const RESOLVE_REPLY *) ctable_locate(smtpd_resolve_cache,
> sender);
> if (reply->flags & RESOLVE_FLAG_FAIL)
> reject_dict_retry(state, sender);
> if (check_mail_addr_find(state, sender, smtpd_sender_login_maps,
> STR(reply->recipient), (char **) 0) != 0)
> return (smtpd_check_reject(state, MAIL_ERROR_POLICY, 553, "5.7.1",
> "<%s>: Sender address rejected: not logged in", sender));
> }
>
> So either your report is incomplete/inaccurate, or you have managed to
> list all the senders you tested in smtpd_sender_login_maps (difficult
> with indexed files, easier with regexp tables and SQL lookups).
>
> > Given that reject_unauthenticated_sender_login_mismatch does not
> > produce this behavior, [ ... ]
>
> With false premises you can reach any conclusion.
I am quite certain that my premises are not false. I tested it with senders who
I know for a
fact ARE listed in the smtpd_sender_login_maps both as authenticated (they were
accepted) and from another client that did not authenticate (they were properly
rejected).
Then I waited for someone else to send mail to one of my users. Here is the log
entry that
was produced:
Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from
mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 <[email protected]>:
Sender
address rejected: not logged in; from=<[email protected]>
to=<[email protected]> proto=SMTP helo=<mail37.messagelabs.com>
only altered to avoid posting one of my users' e-mail addresses and otherwise
as logged.
The address logged as "from=<..." is not in my smtpd_sender_login_maps (I
looked again
to be sure) and is not a user or sender on my server at all.
The master.cf entry is:
smtp inet n - n - - smtpd
-o smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch
that is the only line I used.
I would expect the above-mentioned mail to be permitted, and in other cases I
have had
no problems.
Immediately after seeing this in the logs, I removed the "-o
smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch" from my
master.cf entry, and since then no mail has been rejected with a reason of not
logged in.
I don't know how else to interpret this behavior, other than to conclude that
adding that
line to my master.cf caused the mail to be rejected, which is not what I
expected.
Knowing that I cannot determine, apparently, what will be helpful in diagnosing
this
behavior or suggesting ways I can achieve the desired behavior, I am posting
below my
complete postconf -n (some addresses and sensitive items edited out as noted,
but
otherwise unaltered).
I am hoping that you or someone will either identify what I've done wrong or
help me find
a way to achieve the desired behavior.
If there is any additional information I have not provided here that would be
helpful in
doing one of these two, please ask - I will provide as much as I am able.
Thank you for your help.
--Jeff
postconf -n:
alias_database = mysql:/etc/postfix/mysql_alias_maps.cf
alias_maps = mysql:/etc/postfix/mysql_alias_maps.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_verp_delimiters = +=
disable_vrfy_command = yes
html_directory = /etc/postfix/html
inet_interfaces = all
local_recipient_maps =
luser_relay = <address hidden>
mail_owner = <postfix user>
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 0
mydestination = mysql:/etc/postfix/mysql_mydestination_maps.cf
mydomain = jweinberger.homeip.net
myhostname = jweinberger.homeip.net
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = $mydestination, mysql:/etc/postfix/mysql_relay_domain_maps.cf
relay_recipient_maps =
relayhost = <my relay host>
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = <group name>
smtp_generic_maps = mysql:/etc/postfix/mysql_smtp_generic_maps.cf
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /<path/to>/cacert.pem
smtp_tls_cert_file = /<path/to>/postfix-cert.pem
smtp_tls_key_file = /<path/to>/postfix-key.pem
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,
reject_unauth_pipelining, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_invalid_hostname, reject_rbl_client list.dsbl.org, reject_rbl_client sbl-
xbl.spamhaus.org, check_policy_service inet:127.0.0.1:2501, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
smtpd_sender_restrictions = check_sender_access
pcre:/etc/postfix/smtpd_sender_restrictions.pcre
smtpd_tls_CAfile = /<path/to>/cacert.pem
smtpd_tls_cert_file = /<path/to>/postfix-cert.pem
smtpd_tls_key_file = /<path/to>/postfix-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = mysql:/etc/postfix/mysql_peraddress_transport_maps.cf,
mysql:/etc/postfix/mysql_virtual_transport_maps.cf
unknown_local_recipient_reject_code = 550
verp_delimiter_filter = -=+
virtual_alias_domains = mysql:/etc/postfix/mysql_virtual_alias_domains.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:102
virtual_mailbox_base = /usr/local/virtual/
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 102
virtual_uid_maps = static:102
>
> --
> Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> <mailto:majord...@...?body=unsubscribe%20postfix-users>
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>
