Re: SMTP authentication for outgoing emails from Windows-based devices

[li...@rhsoft.net]

Am 06.01.2014 19:17, schrieb Eric Cunningham:
> Hi, I've encountered a problem with Windows-based devices, such as Windows 
> Phones, being unable to send mail
> through postfix.  The problem and resolution are described at
> http://answers.microsoft.com/en-us/winphone/forum/wp8-wpemail/smtp-authentication-for-outgoing-emails-via-a/2132a705-e1d0-401d-9883-f22f7ed2cb6a
> 
> However, if I add LOGIN to mech_list in /etc/postfix/sasl/smtpd.conf to 
> address that problem, our SMTP server
> becomes an open relay.  Does anyone have any idea what might be causing this 
> and what the fix is to allow Windows
> devices to send mail while not opening a mail relay?

for sure not, if than it is a pen releay long before and this is most likely
because your heavy usage of "smtpd_recipient_restrictions" and "check_*_access"
is in general very dangerous if you are not 100% sure what you are doing

additionally you are working with "relay_domains"

however, the auth-mech is *for sure* not the root cause
BTW - consider http://www.postfix.org/SASL_README.html#server_dovecot

> /etc/postfix/sasl/smtpd.conf:
> 
> pwcheck_method: saslauthd
> mech_list: PLAIN
> log_level: 0
> 
> 
> postconf -n
> 
> address_verify_poll_count = ${stress?1}${stress:3}
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases, ldap:ldap
> anvil_rate_time_unit = 60s
> append_dot_mydomain = yes
> body_checks = pcre:/etc/postfix/access/body_access
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/lib/postfix
> default_process_limit = 250
> default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] 
> blocked using $rbl_domain${rbl_reason?;
> $rbl_reason}. Contact <postmas...@whoi.edu> if this is in error.
> header_checks = pcre:/etc/postfix/access/header_access
> html_directory = /usr/share/doc/postfix/html
> mailbox_size_limit = 0
> message_size_limit = 104857600
> mime_header_checks = pcre:/etc/postfix/access/mime_header_checks
> mydestination = $myhostname, $mydomain, postal2.$mydomain, outbox.$mydomain,  
>    mail.$mydomain,
> localhost.$mydomain, localhost.localdomain, localhost,    
> beachcomberscompanion.org, whoi.net,    cinar.org,   
> bco-dmo.org,    bcodmo.org,    oceanopportunities.org
> myhostname = postal2.whoi.edu
> mynetworks = 128.128.0.0/16, 127.0.0.0/8, 199.92.168.150, 172.16.8.0/24
> myorigin = $mydomain
> parent_domain_matches_subdomains =
> permit_mx_backup_networks = $mynetworks
> rbl_reply_maps = hash:/etc/postfix/access/dnsbl_replies
> readme_directory = /usr/share/doc/postfix
> recipient_delimiter = +
> relay_domains = hash:/etc/postfix/mx_host_relays,    oceanus.whoi.edu, 
> atlantis.whoi.edu    knorr.whoi.edu,   
> tioga.whoi.edu,    bosun.whoi.edu, striker.whoi.edu,    striker2.whoi.edu,    
> sssg1.whoi.edu,    wbc.whoi.edu
> relayhost =
> relocated_maps = hash:/etc/postfix/relocated
> setgid_group = postdrop
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> smtpd_client_connection_rate_limit = 60
> smtpd_client_message_rate_limit = 250
> smtpd_client_new_tls_session_rate_limit = 60
> smtpd_client_recipient_rate_limit = 300
> smtpd_client_restrictions = check_client_access 
> hash:/etc/postfix/access/connect_client_access
> smtpd_delay_reject = yes
> smtpd_error_sleep_time = 5s
> smtpd_etrn_restrictions = permit_mynetworks, reject
> smtpd_hard_error_limit = ${stress?1}${stress:20}
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks,        check_helo_access 
> pcre:/etc/postfix/access/final_helo_access
> smtpd_junk_command_limit = ${stress?1}${stress:100}
> smtpd_recipient_restrictions = reject_unauth_pipelining, 
> reject_non_fqdn_recipient,        check_sender_access
> pcre:/etc/postfix/access/final_sender_access, 
> reject_unknown_recipient_domain,    permit_sasl_authenticated,
> permit_mynetworks,    reject_unauth_destination, 
> reject_unknown_sender_domain,        check_recipient_access
> pcre:/etc/postfix/access/final_recipient_access, check_client_access 
> hash:/etc/postfix/access/final_client_access,
>  check_helo_access pcre:/etc/postfix/access/suspect_helo, reject_rbl_client 
> b.barracudacentral.org,   
> reject_rbl_client zen.spamhaus.org,        reject_rbl_client 
> autospam.whoi.edu, reject_rhsbl_sender
> dsn.rfc-ignorant.org,        reject_rbl_client dnsbl.ahbl.org,        
> reject_rbl_client http.dnsbl.sorbs.net,
> reject_rbl_client socks.dnsbl.sorbs.net,        reject_rbl_client 
> misc.dnsbl.sorbs.net,        reject_rbl_client
> web.dnsbl.sorbs.net,    reject_rbl_client dul.dnsbl.sorbs.net,        
> reject_rbl_client bl.
>  spamcop.net,    reject_rbl_client cbl.abuseat.org, reject_rbl_client 
> dyna.spamrats.com,        reject_rbl_client
> noptr.spamrats.com,        reject_rbl_client virbl.dnsbl.bit.nl, 
> reject_rbl_client ix.dnsbl.manitu.net,   
> reject_rbl_client backscatter.spameatingmonkey.net,    reject_rbl_client 
> bl.spameatingmonkey.net,   
> reject_rhsbl_sender fresh.spameatingmonkey.net,    reject_rhsbl_client 
> fresh.spameatingmonkey.net,   
> reject_rhsbl_sender uribl.spameatingmonkey.net,    reject_rhsbl_client 
> uribl.spameatingmonkey.net,   
> reject_rhsbl_sender urired.spameatingmonkey.net,    reject_rhsbl_client 
> urired.spameatingmonkey.net,    
> check_sender_access hash:/etc/postfix/access/check_backscatterer,    
> check_policy_service
> inet:127.0.0.1:10023,        permit
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_restrictions = permit_sasl_authenticated,    permit_mynetworks
> smtpd_soft_error_limit = 10
> smtpd_starttls_timeout = ${stress?10}${stress:300}s
> smtpd_timeout = ${stress?10}${stress:300}s
> smtpd_tls_CAfile = /etc/postfix/tls/whoi-inCommon-interim.cer
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/postfix/tls/whoi-inCommon-certificate.cer
> smtpd_tls_key_file = /etc/postfix/tls/whoi-inCommon-private.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_timeout = 3600s
> tls_random_source = dev:/dev/urandom
> transport_maps = hash:/etc/postfix/transport
> unknown_local_recipient_reject_code = 550
> virtual_alias_domains = $virtual_alias_maps
> virtual_alias_maps = hash:/etc/postfix/virtual, ldap:vldap