On Sat, Sep 09, 2023 at 07:37:13PM +0200, François Patte via Postfix-users wrote:
> > > As my postfix install is configured, I get only (in mail-log): > > > > > > Sep 9 16:50:49 myserver postfix/qmgr[205575]: 92BEFB4BEA: > > > from=<r...@myserver.fqdn>, size=484, nrcpt=1 (queue active) > > > Sep 9 16:50:49 myserver postfix/smtp[205832]: 92BEFB4BEA: > > > to=<francois.pa...@gmx.fr>, relay=my-fai-smtp[x.x.x.x]:465, delay=0.22, > > > delays=0.04/0.08/0.08/0.02, dsn=5.0.0, status=bounced (host > > > my-fai-smtps[x.x.x.x] said: 530 Authentication required (in reply to > > > MAIL FROM command)) > > > > https://www.postfix.org/DEBUG_README.html#mail It looks like you "tampered" with the logs. They don't match your reported configuration below. > postconf -n > relayhost = [myfai.fqdn]:465 This is not equal to "my-fai-smtp". > smtp_tls_wrappermode = yes Good, needed for transmission via port 465. > smtp_enforce_tls = yes > smtp_use_tls = yes These are obsolete and redundant. > smtp_tls_security_level = encrypt If the relay has a valid certificate, make that "secure". > smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt > smtp_tls_CApath = /etc/pki/tls/certs Otherwise, no need to bother with CAfile / CApath. You should also have "smtp_tls_loglevel = 1". > smtp_sasl_auth_enable = yes > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > smtp_tls_verify_cert_match = myhost.fqdn More needless tampering with the configuration. THe real setting is surely not secret, and should be equal to what you expect to find in the relayhost's certificate. And this is only needed if the security level is "verify", but it is currently "encrypt" (should be "secure", with the corresponding "cert_match" set if need be). > smtpd_sasl_auth_enable = yes You probably don't want this. > smtpd_tls_security_level = encrypt Nor this, except on the submission services in master.cf. > > https://www.postfix.org/SASL_README.html#client_sasl > > My main.cf has the same values for the smtp_xxx listed on the page; > other values are the default ones given by the postfix package. You're obfuscating the essential hostnames, making help needlessly difficult. Did you read the text in SASL_README that explains the lookup key syntax for the password table, when using "[]" and/or ":port" in the relay name? You probably have the wrong lookup key syntax. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
