Re: Using smtpd_sender_login_maps & sasl

Mon, 09 May 2011 20:12:45 -0700 

On 5/9/2011 9:40 PM, Alex wrote:

Hi,
I have a fedora14 system configured to use dovecot sasl, and having
some difficulties with smtpd_sender_login_maps. The docs say it's
optional, but without a proper mapping, mail is rejected with "Sender
address rejected: not owned by user alex". Is this configuration
indeed optional? I'd like to exclude this extra step so another level
of authentication isn't necessary.



You've specified "reject_sender_login_mismatch" in your 
smtpd_recipient_restrictions.  When you specify that, you MUST 
also specify smtpd_sender_login_maps.



So if you don't want to check the login maps, remove the 
reject_sender_login_mismatch from your config.




postfinger - postfix configuration on Mon May  9 22:35:58 EDT 2011
version: 1.30

--System Parameters--
mail_version = 2.7.3
hostname = mail.mydomain.net
uname = Linux mail.mydomain.net 2.6.35.12-90.fc14.x86_64 #1 SMP Fri
Apr 22 16:01:29 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

--Packaging information--
looks like this postfix comes from RPM package: postfix-2.7.3-1.fc14.x86_64

--main.cf non-default parameters--
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
always_bcc = emailcomp



If you need always_bcc, best to specify a fully-qualified 
email address.  [email protected]




biff = no
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks.pcre
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 2000000000
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain,       mydomain.net, 
mydomain1.com
mynetworks = 127.0.0.0/8, 192.168.1.0/24, 68.XXX.YYY.40/29, 71.XXX.YYY.91/32
readme_directory = /usr/share/doc/postfix-2.7.3/README_FILES
relay_clientcerts = hash:/etc/postfix/relay_clientcerts



I wonder why you have this defined.  Doesn't look as if you 
are using it.



relay_domains = $mydestination, $transport_maps, mydomain.net, mydomain1.com



Make sure that relay_domains only contains domains that 
postfix accepts mail for, but passes to another system for 
delivery.  Mail delivered on "this" box should be listed in 
mydestination only.

http://www.postfix.org/ADDRESS_CLASS_README.html
http://www.postfix.org/BASIC_CONFIGURATION_README.html


sample_directory = /usr/share/doc/postfix-2.7.3/samples
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_non_fqdn_sender, reject_unlisted_recipient, permit_mynetworks,
reject_sender_login_mismatch, permit_sasl_authenticated,



There's that pesky reject_sender_login_mismatch.  Sounds as if 
you should remove it.



reject_unauth_destination, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_invalid_helo_hostname,



Note that reject_unknown_recipient_domain is not effective 
here.  You should probably remove it.



check_client_access hash:/etc/postfix/client_access,
check_sender_access hash:/etc/postfix/sender_checks,
check_recipient_access pcre:/etc/postfix/relay_recips_access,
reject_rbl_client zen.spamhaus.org, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining,       reject_sender_login_mismatch, permit



These are all duplicated in smtpd_recipient_restrictions. 
Looks as if you can remove them from here.



smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtp_tls_CAfile = /etc/pki/tls/cacert.pem
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = hash:/etc/postfix/virtual

--master.cf--
smtp      inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

-- end of postfinger output --




  -- Noel Jones






















					Reply via email to