Re: Postfix relay - allow authenticated users from any ip

2016-05-27 Thread Zalezny Niezalezny 
Thank You very much for Your explanation. That sounds more clear for me.
I will configure SASL Auth then.

Thanks a lot every one!

On Fri, May 27, 2016 at 2:14 PM, /dev/rob0  wrote:

> On Fri, May 27, 2016 at 10:11:59AM +0200, Zalezny Niezalezny wrote:
> > What about user ? Do i need to create simply OS user (/etc/passwd)
> > and it will be enought ? Or some dedicated configuration file is
> > required ?
>
> If you take Victor's advice and use TLS certificate validation, no
> user is necessary.
>
> If you choose the SASL AUTH way, yes, you need some kind of user
> configured that your SASL backend[s] can authenticate.  A system
> user would be the easiest way to do this.
>
> For SASL, you'd need Cyrus SASL on the client side, and either of
> Cyrus or Dovecot on the server side.  I agree with Victor in that
> check_ccert_access sounds simple and easier in this case.
> --
>   http://rob0.nodns4.us/
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>

Re: Postfix relay - allow authenticated users from any ip

2016-05-27 Thread /dev/rob0 
On Fri, May 27, 2016 at 10:11:59AM +0200, Zalezny Niezalezny wrote:
> What about user ? Do i need to create simply OS user (/etc/passwd) 
> and it will be enought ? Or some dedicated configuration file is 
> required ?

If you take Victor's advice and use TLS certificate validation, no 
user is necessary.

If you choose the SASL AUTH way, yes, you need some kind of user 
configured that your SASL backend[s] can authenticate.  A system 
user would be the easiest way to do this.

For SASL, you'd need Cyrus SASL on the client side, and either of 
Cyrus or Dovecot on the server side.  I agree with Victor in that 
check_ccert_access sounds simple and easier in this case.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: Postfix relay - allow authenticated users from any ip

2016-05-27 Thread Zalezny Niezalezny 
Hi Viktor,

thank You very much for Your hints.

What about user ? Do i need to create simply OS user (/etc/passwd) and it
will be enought ? Or some dedicated configuration file is required ?


Thanks in advance

Zalezny

On Fri, May 27, 2016 at 12:07 AM, Viktor Dukhovni <
postfix-us...@dukhovni.org> wrote:

> On Thu, May 26, 2016 at 11:40:22PM +0200, Zalezny Niezalezny wrote:
>
> > 1. How to configure relay server which will relay all E-mails from
> > authenticated users from any IP.
>
> main.cf:
> indexed = ${default_database_type}:${config_directory}/
> smtpd_tls_fingerprint_digest = sha256
> smtpd_tls_auth_only = yes
> # Note Postfix >= 2.10
> mua_relay_restrictions =
> permit_sasl_authenticated,
> check_ccert_access ${indexed}relay-ccerts,
> reject
>
> master.cf:
> submission inet ... smtpd
>   -o smtpd_relay_restrictions=$mua_relay_restrictions
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_tls_ask_ccert=yes
>   ...
>
> relay-ccerts:
> #   OK
>
> e3:b0:c4:42:98:fc:1c:14:9a:fb:f4:c8:99:6f:b9:24:27:ae:41:e4:64:9b:93:4c:a4:95:99:1b:78:52:b8:55
> OK
> ...
>
> Or configure SASL, but frankly client certs are much easier on the
> server side, and simple enough on the client side, at least with
> Postfix as the client.
>
> --
> Viktor.
>

Re: Postfix relay - allow authenticated users from any ip

2016-05-26 Thread Peter 
On 27/05/16 09:40, Zalezny Niezalezny wrote:
> 1. How to configure relay server which will relay all E-mails from
> authenticated users from any IP.
> My home server external IP is changing very often, so relay server needs
> to relay messages from all IPs. I would really appreciete for any
> example configuration for a MTA and for a relay server.

http://www.postfix.org/SASL_README.html


Peter

Re: Postfix relay - allow authenticated users from any ip

2016-05-26 Thread Viktor Dukhovni 
On Thu, May 26, 2016 at 11:40:22PM +0200, Zalezny Niezalezny wrote:

> 1. How to configure relay server which will relay all E-mails from
> authenticated users from any IP.

main.cf:
indexed = ${default_database_type}:${config_directory}/
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_auth_only = yes
# Note Postfix >= 2.10
mua_relay_restrictions =
permit_sasl_authenticated,
check_ccert_access ${indexed}relay-ccerts,
reject

master.cf:
submission inet ... smtpd
  -o smtpd_relay_restrictions=$mua_relay_restrictions
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_ask_ccert=yes
  ...

relay-ccerts:
#   OK

e3:b0:c4:42:98:fc:1c:14:9a:fb:f4:c8:99:6f:b9:24:27:ae:41:e4:64:9b:93:4c:a4:95:99:1b:78:52:b8:55
 OK
...

Or configure SASL, but frankly client certs are much easier on the
server side, and simple enough on the client side, at least with
Postfix as the client.

-- 
Viktor.

Postfix relay - allow authenticated users from any ip

2016-05-26 Thread Zalezny Niezalezny 
Dear Colleague,

I have small server at home (with dynamic IP) with Postfix as MTA.

Because I`m using dynamic IP address, I decided to create simple relay
server with static IP on amazon aws cloud. Here comes my question:

1. How to configure relay server which will relay all E-mails from
authenticated users from any IP.
My home server external IP is changing very often, so relay server needs to
relay messages from all IPs. I would really appreciete for any example
configuration for a MTA and for a relay server.


I simply would like to setup one username/password for all my e-mail
accounts and base on that relay massages to the internet.


Thank You in advance for any hints and support.



With kind regards

Zalezny