On Mon, Jan 17, 2022 at 10:04:13PM -0500, Joe Acquisto-j4 <j...@j4computers.com> wrote:
> > On 2022-01-17 at 20:09:55 UTC-0500 (Mon, 17 Jan 2022 20:09:55 -0500) > > Joe Acquisto-j4 <j...@j4computers.com> > > is rumored to have said: > > > > > >> Sorry for the garbled message. Looking for the config files, etc that > >> are normally requested. > > > > > > The non-default main.cf settings, formatted for human eyes: > > postconf -nf > > > > The master.cf settings, formatted for human eyes: > > postconf -Mf > > > > > > > > > > -- > > Bill Cole > > b...@scconsult.com or billc...@apache.org > > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > > Not Currently Available For Hire > > OK, here goes - > > Using version 3.4.7 packaged by Suse. I use "fetchmail" to retrieve email > via imap one of which is gmail. The fetched mail is all sent to a local "off > box" machine, via postfix, spamassassin and clamav, all on the same server. > The off box machine let's call it "fubar", runs a rather dated groupware > product I used to support. > > I send mail to one upstream provider They require authentication. Seem to > have successfully setup per user SASL authentication, with one "problem" > remaining. > > Since I would sometimes forget to check the gmail account, added that account > to fetchmail. It would deliver to fubar via the means described above, with > a unique fubar user, via the means mentioned above. It became convenient to > occasionally use the gmail account to test changes I might make to my local > system. That worked well, till now. > > Now when I set "smtp_sender_dependent_authentication = yes" any email I send > to the gmail account from fubar, upon being "fetched", fails to deliver to > "fubar" with postfix reporting "501 Authentication failed" and the mail is > deferred. If I set "smtp_sender_dependent_authentication = no" and restart > postfix, the deferred mail is delivered. Any mail that arrives at the gmail > account by any other means delivers normally regardless of the value of > "smtp_sender_dependent_authentication". > > Ultimately, I determined the attempt to authenticate to fubar happens with > any mail I send to the gmail account, where the "from" address is any valid > user on the fubar system. That includes test emails sent using swaks, via > the same upstream provider. > > On the receiving end I can see logged information that shows fubar is > attempting to authenticate, which it does not attempt to do when sender > dependent authentication is not enabled. At least, not in any visible way or > even any configured way, While from the point of view of the professionals > this may "not be a real problem" perhaps for myriad uttered reasons including > "WFT dude"?, it still seems odd at the least. Probably it will be due to > "something you did and should have known better". > > Below is output from postconf -Mf: > > smtp inet n - n - - smtpd > -o content_filter=spamassassin > pickup fifo n - n 60 1 pickup > cleanup unix n - n - 0 cleanup > qmgr fifo n - n 300 1 qmgr > rewrite unix - - n - - trivial-rewrite > bounce unix - - n - 0 bounce > defer unix - - n - 0 bounce > trace unix - - n - 0 bounce > verify unix - - n - 1 verify > flush unix n - n 1000? 0 flush > proxymap unix - - n - - proxymap > proxywrite unix - - n - 1 proxymap > smtp unix - - n - - smtp > relay unix - - n - - smtp > -o smtp_fallback_relay= > showq unix n - n - - showq > error unix - - n - - error > retry unix - - n - - error > discard unix - - n - - discard > local unix - n n - - local > virtual unix - n n - - virtual > lmtp unix - - n - - lmtp > anvil unix - - n - 1 anvil > scache unix - - n - 1 scache > spamassassin unix - n n - - pipe flags=Rq > user=spamfilter argv=/usr/local/bin/spamass.sh -e /usr/sbin/sendmail -oi > -f > ${sender} -- ${recipient} > tlsmgr unix - - n 1000? 1 tlsmgr > postlog unix-dgram n - n - 1 postlogd > > Below is output from postconf -Mf: (obfuscated) > > alias_maps = hash:/etc/aliases > biff = no > canonical_maps = hash:/etc/postfix/canonical > command_directory = /usr/sbin > compatibility_level = 2 > content_filter = > daemon_directory = /usr/lib/postfix/bin/ > data_directory = /var/lib/postfix > debug_peer_level = 2 > debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd > $daemon_directory/$process_name $process_id & sleep 5 > defer_transports = > delay_warning_time = 1h > disable_dns_lookups = yes > disable_mime_output_conversion = no > disable_vrfy_command = yes > html_directory = /usr/share/doc/packages/postfix-doc/html > inet_interfaces = all > inet_protocols = ipv4 > mail_owner = postfix > mail_spool_directory = /var/mail > mailbox_command = > mailbox_size_limit = 0 > mailbox_transport = > maillog_file = /var/log/postfix.log > mailq_path = /usr/bin/mailq > manpage_directory = /usr/share/man > masquerade_classes = envelope_sender, header_sender, header_recipient > masquerade_domains = > masquerade_exceptions = root > message_size_limit = 0 > message_strip_characters = \0 > milter_default_action = accept > mydestination = $myhostname, localhost.$mydomain > myhostname = myhostname.domain.com > mynetworks = aaa.bbb.0.221/32,aaa.bbb.0.222,aaa.bbb.0.211/32,127.0.0.0/8 > mynetworks_style = subnet > newaliases_path = /usr/bin/newaliases > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES > relay_clientcerts = > relay_domains = $mydestination, hash:/etc/postfix/relay > relocated_maps = hash:/etc/postfix/relocated > sample_directory = /usr/share/doc/packages/postfix-doc/samples > sender_canonical_maps = hash:/etc/postfix/sender_canonical > sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay > sendmail_path = /usr/sbin/sendmail > setgid_group = maildrop > smtp_enforce_tls = yes > smtp_sasl_auth_enable = yes > smtp_sasl_mechanism_filter = login > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > smtp_sasl_security_options = noanonymous > smtp_sasl_type = cyrus > smtp_sender_dependent_authentication = yes > smtp_tls_CAfile = /etc/postfix/ssl/certs/cacert.pem > smtp_tls_CApath = /etc/postfix/ssl/certs/ > smtp_tls_cert_file = /etc/postfix/ssl/certs/pf-cert.pem > smtp_tls_key_file = /etc/postfix/ssl/certs/pf-key.pem > smtp_tls_loglevel = 2 > smtp_tls_security_level = may > smtp_tls_session_cache_database = > smtp_use_tls = yes > smtpd_banner = $myhostname ESMTP > smtpd_client_restrictions = > smtpd_delay_reject = yes > smtpd_helo_required = no > smtpd_helo_restrictions = > smtpd_milters = unix:/var/run/clamav/clamav-milter.socket > smtpd_recipient_restrictions = permit_mynetworks > smtpd_sasl_auth_enable = no > smtpd_sender_restrictions = hash:/etc/postfix/access > smtpd_tls_CAfile = /etc/postfix/ssl/certs/cacert.pem > smtpd_tls_CApath = /etc/postfix/ssl/certs/ > smtpd_tls_ask_ccert = no > smtpd_tls_cert_file = /etc/postfix/ssl/certs/pf-cert.pem > smtpd_tls_key_file = /etc/postfix/ssl/certs/pf-key.pem > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = no > smtpd_use_tls = yes > strict_8bitmime = no > strict_rfc821_envelopes = no > transport_maps = hash:/etc/postfix/transport > unknown_local_recipient_reject_code = 550 > virtual_alias_domains = hash:/etc/postfix/virtual > virtual_alias_maps = hash:/etc/postfix/virtual I would imagine that Postfix can only authenticate to servers that have entries in /etc/postfix/sasl_passwd. smtp_sasl_password_maps (default: empty) Optional Postfix SMTP client lookup tables with one username:password entry per sender, remote hostname or next-hop domain. Per-sender lookup is done only when sender-dependent authentication is enabled. If no username:password entry is found, then the Postfix SMTP client will not attempt to authenticate to the remote host. But it seems unlikely that you'd have put an entry there for a server of yours that doesn't authenticate. Perhaps you need to add that server to debug_peer_list and see what the extra logs say. cheers, raf