On 11 Jul 2016, at 4:30, Zalezny Niezalezny wrote:
Dear Colleagues,
I`m trying to configure authenticated relay server (SASL) using RHEL
Postfix 2.6.6.
System will transport E-mails only from authenticated clients.
1) Most of that clients are in the same subnet, does it make sense to
authtenicate that clients with passwords ?
Yes. Also: do so with a submission service on port 587 and require TLS.
Do we need to use sasl if host
is in the same subnet ?
Authenticating by IP is weak, barely worth calling "authentication" at
all. If it is possible for a rogue device to get on that subnet or for a
legitimate machine to be subverted by a spambot, requiring a REAL
authentication mechanism (i.e. SASL) can prevent a spam run through your
server.
Some of the defaults and widely-recommended Postfix settings originate
in an era when port 587 submission was not supported widely enough to
make it the only route for submission. In the modern world, you may
never need "permit_mynetworks" anywhere or any SASL support on a port 25
smtpd service, since mail for outbound relay should be submitted via
port 587 submission with SASL authentication there.
2) How to understand, permit_mynetworks and permit_sasl_authenticated.
If
host is mentioned in the mynetworks list, what will happend with it if
we
will use that settings:
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject
Postfix will also ask for user name and password ?
That's not how SMTP AUTH works.
When a client connects and uses the "EHLO" command to introduce itself,
the server replies with a list of extensions to basic SMTP that it
supports, possibly including the AUTH extension with a list of SASL
mechanisms that are supported. The *client* is expected to try
authentication if it can. The server never explicitly "asks" for
authentication, it merely offers the option and MAY be configured to
reject mail without it.
So, the configuration you show will let clients in $mynetworks relay
with or without authentication and let any other client relay if they
authenticate, and reject other mail.
I`m strugling that topic since days and I do not how to manage that.
SASL
documentation from Wietse I read already multiple times, but it still
not
working.
Does any one can send me client / server (main.cf) config which is
working.
Since I never set up submission for relaying and inbound transport in
the same service, none of my configs would make sense for what you seem
to be doing. I also don't use any antique versions of Postfix so my
configs would break with your 2.6.6.
Beyond that, you really shouldn't blindly trust that a "working" config
for a complex system like Postfix is going to be portable between sites.
I manage multiple Postfix systems, but don't use identical Postfix
configs on any 2 sites that accept mail over the network, even allowing
for the obviously local settings like the various my* parameters.
Maybe somebody here will be able to support me.
Actual postconf -n output would be more useful, but I do see one
problem:
smtpd_client_restrictions = permit_mynetworks, reject
That does exactly what it says.
It is not possible to recover from a REJECT in
smtpd_client_restrictions by getting a PERMIT in any later restriction
list, because you never evaluate the later restriction lists.