On Mon, Jan 17, 2022 at 10:04:13PM -0500, Joe Acquisto-j4
<j...@j4computers.com> wrote:
> > On 2022-01-17 at 20:09:55 UTC-0500 (Mon, 17 Jan 2022 20:09:55 -0500)
> > Joe Acquisto-j4 <j...@j4computers.com>
> > is rumored to have said:
> >
> >
> >> Sorry for the garbled message. Looking for the config files, etc that
> >> are normally requested.
> >
> >
> > The non-default main.cf settings, formatted for human eyes:
> > postconf -nf
> >
> > The master.cf settings, formatted for human eyes:
> > postconf -Mf
> >
> >
> >
> >
> > --
> > Bill Cole
> > b...@scconsult.com or billc...@apache.org
> > (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> > Not Currently Available For Hire
>
> OK, here goes -
>
> Using version 3.4.7 packaged by Suse. I use "fetchmail" to retrieve email
> via imap one of which is gmail. The fetched mail is all sent to a local "off
> box" machine, via postfix, spamassassin and clamav, all on the same server.
> The off box machine let's call it "fubar", runs a rather dated groupware
> product I used to support.
>
> I send mail to one upstream provider They require authentication. Seem to
> have successfully setup per user SASL authentication, with one "problem"
> remaining.
>
> Since I would sometimes forget to check the gmail account, added that account
> to fetchmail. It would deliver to fubar via the means described above, with
> a unique fubar user, via the means mentioned above. It became convenient to
> occasionally use the gmail account to test changes I might make to my local
> system. That worked well, till now.
>
> Now when I set "smtp_sender_dependent_authentication = yes" any email I send
> to the gmail account from fubar, upon being "fetched", fails to deliver to
> "fubar" with postfix reporting "501 Authentication failed" and the mail is
> deferred. If I set "smtp_sender_dependent_authentication = no" and restart
> postfix, the deferred mail is delivered. Any mail that arrives at the gmail
> account by any other means delivers normally regardless of the value of
> "smtp_sender_dependent_authentication".
>
> Ultimately, I determined the attempt to authenticate to fubar happens with
> any mail I send to the gmail account, where the "from" address is any valid
> user on the fubar system. That includes test emails sent using swaks, via
> the same upstream provider.
>
> On the receiving end I can see logged information that shows fubar is
> attempting to authenticate, which it does not attempt to do when sender
> dependent authentication is not enabled. At least, not in any visible way or
> even any configured way, While from the point of view of the professionals
> this may "not be a real problem" perhaps for myriad uttered reasons including
> "WFT dude"?, it still seems odd at the least. Probably it will be due to
> "something you did and should have known better".
>
> Below is output from postconf -Mf:
>
> smtp inet n - n - - smtpd
> -o content_filter=spamassassin
> pickup fifo n - n 60 1 pickup
> cleanup unix n - n - 0 cleanup
> qmgr fifo n - n 300 1 qmgr
> rewrite unix - - n - - trivial-rewrite
> bounce unix - - n - 0 bounce
> defer unix - - n - 0 bounce
> trace unix - - n - 0 bounce
> verify unix - - n - 1 verify
> flush unix n - n 1000? 0 flush
> proxymap unix - - n - - proxymap
> proxywrite unix - - n - 1 proxymap
> smtp unix - - n - - smtp
> relay unix - - n - - smtp
> -o smtp_fallback_relay=
> showq unix n - n - - showq
> error unix - - n - - error
> retry unix - - n - - error
> discard unix - - n - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - n - - lmtp
> anvil unix - - n - 1 anvil
> scache unix - - n - 1 scache
> spamassassin unix - n n - - pipe flags=Rq
> user=spamfilter argv=/usr/local/bin/spamass.sh -e /usr/sbin/sendmail -oi
> -f
> ${sender} -- ${recipient}
> tlsmgr unix - - n 1000? 1 tlsmgr
> postlog unix-dgram n - n - 1 postlogd
>
> Below is output from postconf -Mf: (obfuscated)
>
> alias_maps = hash:/etc/aliases
> biff = no
> canonical_maps = hash:/etc/postfix/canonical
> command_directory = /usr/sbin
> compatibility_level = 2
> content_filter =
> daemon_directory = /usr/lib/postfix/bin/
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
> $daemon_directory/$process_name $process_id & sleep 5
> defer_transports =
> delay_warning_time = 1h
> disable_dns_lookups = yes
> disable_mime_output_conversion = no
> disable_vrfy_command = yes
> html_directory = /usr/share/doc/packages/postfix-doc/html
> inet_interfaces = all
> inet_protocols = ipv4
> mail_owner = postfix
> mail_spool_directory = /var/mail
> mailbox_command =
> mailbox_size_limit = 0
> mailbox_transport =
> maillog_file = /var/log/postfix.log
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/share/man
> masquerade_classes = envelope_sender, header_sender, header_recipient
> masquerade_domains =
> masquerade_exceptions = root
> message_size_limit = 0
> message_strip_characters = \0
> milter_default_action = accept
> mydestination = $myhostname, localhost.$mydomain
> myhostname = myhostname.domain.com
> mynetworks = aaa.bbb.0.221/32,aaa.bbb.0.222,aaa.bbb.0.211/32,127.0.0.0/8
> mynetworks_style = subnet
> newaliases_path = /usr/bin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
> relay_clientcerts =
> relay_domains = $mydestination, hash:/etc/postfix/relay
> relocated_maps = hash:/etc/postfix/relocated
> sample_directory = /usr/share/doc/packages/postfix-doc/samples
> sender_canonical_maps = hash:/etc/postfix/sender_canonical
> sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
> sendmail_path = /usr/sbin/sendmail
> setgid_group = maildrop
> smtp_enforce_tls = yes
> smtp_sasl_auth_enable = yes
> smtp_sasl_mechanism_filter = login
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options = noanonymous
> smtp_sasl_type = cyrus
> smtp_sender_dependent_authentication = yes
> smtp_tls_CAfile = /etc/postfix/ssl/certs/cacert.pem
> smtp_tls_CApath = /etc/postfix/ssl/certs/
> smtp_tls_cert_file = /etc/postfix/ssl/certs/pf-cert.pem
> smtp_tls_key_file = /etc/postfix/ssl/certs/pf-key.pem
> smtp_tls_loglevel = 2
> smtp_tls_security_level = may
> smtp_tls_session_cache_database =
> smtp_use_tls = yes
> smtpd_banner = $myhostname ESMTP
> smtpd_client_restrictions =
> smtpd_delay_reject = yes
> smtpd_helo_required = no
> smtpd_helo_restrictions =
> smtpd_milters = unix:/var/run/clamav/clamav-milter.socket
> smtpd_recipient_restrictions = permit_mynetworks
> smtpd_sasl_auth_enable = no
> smtpd_sender_restrictions = hash:/etc/postfix/access
> smtpd_tls_CAfile = /etc/postfix/ssl/certs/cacert.pem
> smtpd_tls_CApath = /etc/postfix/ssl/certs/
> smtpd_tls_ask_ccert = no
> smtpd_tls_cert_file = /etc/postfix/ssl/certs/pf-cert.pem
> smtpd_tls_key_file = /etc/postfix/ssl/certs/pf-key.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = no
> smtpd_use_tls = yes
> strict_8bitmime = no
> strict_rfc821_envelopes = no
> transport_maps = hash:/etc/postfix/transport
> unknown_local_recipient_reject_code = 550
> virtual_alias_domains = hash:/etc/postfix/virtual
> virtual_alias_maps = hash:/etc/postfix/virtual
I would imagine that Postfix can only authenticate to
servers that have entries in /etc/postfix/sasl_passwd.
smtp_sasl_password_maps (default: empty)
Optional Postfix SMTP client lookup tables with one
username:password entry per sender, remote hostname
or next-hop domain. Per-sender lookup is done only
when sender-dependent authentication is enabled. If
no username:password entry is found, then the
Postfix SMTP client will not attempt to
authenticate to the remote host.
But it seems unlikely that you'd have put an entry there
for a server of yours that doesn't authenticate.
Perhaps you need to add that server to debug_peer_list
and see what the extra logs say.
cheers,
raf
