On 3/6/2011 9:08 AM, DTNX/NGMX Postmaster wrote:
On 6 mrt 2011, at 15:08, David Touzeau wrote:
but it seems that postfix did not want to test the authentication
method and pass it's rules trough subnet rules to finally refuse the
connection with a "Client host rejected: Access denied"
[snip]
smtpd_delay_reject = no
http://www.postfix.org/postconf.5.html#smtpd_delay_reject
Here, most likely. Ran into something very similar last week, and this was the
cause.
Yes.
I suspect that if you were to increase logging detail, you'd find that
'permit_sasl_authenticated' evaluates to zero during the client restrictions
stage because of a delay in getting back an answer from whatever SASL backend
you have in use. Postfix evaluates the rest of the client restrictions, and
denies you access.
No. The SASL authentication happens after CONNECT and HELO,
before MAIL FROM. With "smtpd_delay_reject = no", and
"smtpd_client_restrictions = permit_sasl_authenticated,
reject" you're checking for sasl authentication before the
authentication ever has a chance to take place.
This has nothing to do with what you're using for a sasl
backend, because the backend is never consulted.
Just another good reason to not muck with the defaults.
-- Noel Jones
