dear i would like to use submission port for authenticate users from internet allowing them to the postfix smtpd server
For testing purpose, i have set a network different from the LAN to be sure that postfix allow SASL connections but it seems that postfix did not want to test the authentication method and pass it's rules trough subnet rules to finally refuse the connection with a "Client host rejected: Access denied" We can see that there an request to saslauthd "xsasl_cyrus_server_create: SASL service=smtp, realm=(null)" but i did not really understand what is means.. I'm using saslauthd trough LDAP to perform credentials checking and postfix 2.8.0 Where i'm wrong ?? When using testssaslauthd ---------------------------------------------------------------------- testsaslauthd -u david.touzeau -p secret -f /var/run/saslauthd/mux -s smtp 0: OK "Success." Content of /etc/postfix/sasl/smtpd.conf ---------------------------------------------------------------------- pwcheck_method: saslauthd mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 log_level: 5 master.cf ---------------------------------------------------------------------- smtp inet n - n - - smtpd submission inet n - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtp_generic_maps= -o sender_canonical_maps= Here it is a piece of debug logs : ---------------------------------------------------------------------- Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null) Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: name_mask: noanonymous Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: start interval Mar 6 13:45:02 Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: address lookup hits=5 miss=2 success=71% Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: max simultaneous domains=0 addresses=1 connection=2 Mar 6 13:48:40 bigfiles postfix/postfix-script[22489]: stopping the Postfix mail system Mar 6 13:48:40 bigfiles postfix/master[2548]: terminating on signal 15 Mar 6 13:48:40 bigfiles postfix/postfix-script[22571]: starting the Postfix mail system Mar 6 13:48:40 bigfiles postfix/master[22572]: daemon started -- version 2.8.0, configuration /etc/postfix Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: ipv4 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: inet_addr_local: configured 3 IPv4 addresses Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: process generation: 3 (3) Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? permit_mx_backup_networks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? qmqpd_authorized_clients Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? relay_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/relay_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/canonical Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/virtual Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: smtpd_access_maps ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: smtpd_access_maps ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: smtpd_access_maps ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: smtpd_access_maps ~? permit_mx_backup_networks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: smtpd_access_maps ~? qmqpd_authorized_clients Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: smtpd_access_maps ~? relay_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: smtpd_access_maps ~? smtpd_access_maps Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/postfix_allowed_connections Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/disallow_my_domain Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: unknown_helo_hostname_tempfail_action = defer_if_permit Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: unknown_address_tempfail_action = defer_if_permit Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: unverified_recipient_tempfail_action = defer_if_permit Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: unverified_sender_tempfail_action = defer_if_permit Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: xsasl_cyrus_server_init: SASL config file is smtpd.conf Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: auto_clnt_create: transport=local endpoint=private/tlsmgr Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: auto_clnt_open: connected to private/tlsmgr Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: send attr request = seed Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: send attr size = 32 Mar 6 13:48:54 bigfiles postfix/tlsmgr[22709]: warning: request to update table btree:/var/spool/postfix/smtpd_tls_cache in non-postfix directory /var/spool/postfix Mar 6 13:48:54 bigfiles postfix/tlsmgr[22709]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: private/tlsmgr: wanted attribute: status Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute name: status Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute value: 0 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: private/tlsmgr: wanted attribute: seed Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute name: seed Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute value: 8yQIuFPQO1SlOgwW34spjBxOQUBIKQviClxqsPk3HoQ= Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: private/tlsmgr: wanted attribute: (list terminator) Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute name: (end) Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: CVE-2010-4180 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: send attr request = policy Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: send attr cache_type = smtpd Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: private/tlsmgr: wanted attribute: status Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute name: status Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute value: 0 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: private/tlsmgr: wanted attribute: cachable Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute name: cachable Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute value: 1 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: private/tlsmgr: wanted attribute: (list terminator) Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute name: (end) Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: fast_flush_domains ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: fast_flush_domains ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/mydestination Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: auto_clnt_create: transport=local endpoint=private/anvil Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: connection established Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: master_notify: status 0 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: resource Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: software Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: connect from unknown[192.168.1.211] Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_list_match: unknown: no match Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_list_match: 192.168.1.211: no match Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_list_match: unknown: no match Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_list_match: 192.168.1.211: no match Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_hostname: unknown ~? 192.168.1.0/24 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_hostaddr: 192.168.1.211 ~? 192.168.1.0/24 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: >>> START Client host RESTRICTIONS <<< Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: generic_checks: name=permit_sasl_authenticated Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: generic_checks: name=permit_sasl_authenticated status=0 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: generic_checks: name=reject Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: NOQUEUE: reject: CONNECT from unknown[192.168.1.211]: 554 5.7.1 <unknown[192.168.1.211]>: Client host rejected: Access denied; proto=SMTP Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: generic_checks: name=reject status=2 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: > unknown[192.168.1.211]: 554 5.7.1 <unknown[192.168.1.211]>: Client host rejected: Access denied Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null) best regards
