Re: Confusing sasl configuration examples

Fri, 08 Jan 2010 10:12:20 -0800 

On Fri, Jan 08, 2010 at 10:23:38AM -0500, Wietse Venema wrote:
> /dev/rob0:
> > On Fri, Jan 08, 2010 at 08:37:16AM -0500, Shaun T. Erickson wrote:
> > > Yes, this is what is shown in the SASL Howto and how I have had
> > > my server's submission port configured in the past.
> > > 
> > > However, in the 2.6.2 postfix distribution I'm trying to 
> > > configure now, the default definition of the submission port 
> > > uses the same restrictions, but it applies them to the 
> > > smtpd_CLIENT_restrictions parameter, NOT the 
> > > smtpd_RECIPIENT_restrictions parameter. I'm trying to 
> > > understand if that is just a typo in master.cf or if the change 
> > > is legit and, if so, why.
> > 
> > Here's the example to which you refer:
> >     #submission inet n       -       n       -       -       smtpd
> >     #  -o smtpd_tls_security_level=encrypt
> >     #  -o smtpd_sasl_auth_enable=yes
> >     #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> > 
> > If you have already configured your smtpd_recipient_restrictions in
> > main.cf to allow SASL AUTH, this example does indeed work. It's
> > probably not a typo, but I agree, it can be confusing. Why do this
> > with smtpd_client_restrictions, and yet assume that you didn't have
> > smtpd_sasl_auth_enable=yes in main.cf already?
> 
> The purpose of the submission service is to accept mail only from
> authenticated clients.

This, I understand.

>  The above submission entry implements this
> particular requirement without depending on main.cf settings.

This, I do not.

$ /usr/sbin/postconf -dh smtpd_recipient_restrictions
permit_mynetworks, reject_unauth_destination

If a client from outside $mynetworks attempts to relay to external
addresses, and AUTH succeeds, it passes smtpd_client_restrictions.
But in smtpd_recipient_restrictions it gets "Relay access denied".
It would work if either the client is in $mynetworks, or if the
main.cf setting of smtpd_recipient_restrictions has had
permit_sasl_authenticated added as per SASL_README.

> This is done for robustness reasons.

I think, as the OP noted, that the example is confusing, and should
be changed as follows:
    #submission inet n       -       n       -       -       smtpd
    #  -o smtpd_tls_security_level=encrypt
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Reply via email to