Re: submission port : Client host rejected: Access denied
On Sun, Mar 06, 2011 at 02:20:19PM +0100, David Touzeau wrote: Thanks Jeroen Here it is information requested postconf -n Yikes. I didn't read through all of that, but I'm sure you have gone way overboard in changing (or perhaps, restating) default settings. Jeroen would say, if your postconf -n is more than 30 lines, you are either an expert, or you have done it all wrong. :) Consider starting over with a simple config. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: submission port : Client host rejected: Access denied
On 6 mrt 2011, at 22:34, Noel Jones wrote: On 3/6/2011 9:08 AM, DTNX/NGMX Postmaster wrote: I suspect that if you were to increase logging detail, you'd find that 'permit_sasl_authenticated' evaluates to zero during the client restrictions stage because of a delay in getting back an answer from whatever SASL backend you have in use. Postfix evaluates the rest of the client restrictions, and denies you access. No. The SASL authentication happens after CONNECT and HELO, before MAIL FROM. With smtpd_delay_reject = no, and smtpd_client_restrictions = permit_sasl_authenticated, reject you're checking for sasl authentication before the authentication ever has a chance to take place. This has nothing to do with what you're using for a sasl backend, because the backend is never consulted. Just another good reason to not muck with the defaults. Hmm, I must be remembering it wrong then, because that makes perfect sense. Or I interpreted the logging data incorrectly, which is not impossible either. Anyway, thanks for the correction. Cya, Jona
submission port : Client host rejected: Access denied
dear i would like to use submission port for authenticate users from internet allowing them to the postfix smtpd server For testing purpose, i have set a network different from the LAN to be sure that postfix allow SASL connections but it seems that postfix did not want to test the authentication method and pass it's rules trough subnet rules to finally refuse the connection with a Client host rejected: Access denied We can see that there an request to saslauthd xsasl_cyrus_server_create: SASL service=smtp, realm=(null) but i did not really understand what is means.. I'm using saslauthd trough LDAP to perform credentials checking and postfix 2.8.0 Where i'm wrong ?? When using testssaslauthd -- testsaslauthd -u david.touzeau -p secret -f /var/run/saslauthd/mux -s smtp 0: OK Success. Content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 log_level: 5 master.cf -- smtpinetn - n - - smtpd submission inetn - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtp_generic_maps= -o sender_canonical_maps= Here it is a piece of debug logs : -- Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null) Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: name_mask: noanonymous Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: start interval Mar 6 13:45:02 Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: address lookup hits=5 miss=2 success=71% Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: max simultaneous domains=0 addresses=1 connection=2 Mar 6 13:48:40 bigfiles postfix/postfix-script[22489]: stopping the Postfix mail system Mar 6 13:48:40 bigfiles postfix/master[2548]: terminating on signal 15 Mar 6 13:48:40 bigfiles postfix/postfix-script[22571]: starting the Postfix mail system Mar 6 13:48:40 bigfiles postfix/master[22572]: daemon started -- version 2.8.0, configuration /etc/postfix Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: ipv4 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: inet_addr_local: configured 3 IPv4 addresses Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: process generation: 3 (3) Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? permit_mx_backup_networks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? qmqpd_authorized_clients Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? relay_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/relay_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/canonical Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/virtual Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: smtpd_access_maps ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: smtpd_access_maps ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
Re: submission port : Client host rejected: Access denied
On 03/06/2011 01:18 PM, David Touzeau wrote: dear i would like to use submission port for authenticate users from internet allowing them to the postfix smtpd server For testing purpose, i have set a network different from the LAN to be sure that postfix allow SASL connections but it seems that postfix did not want to test the authentication method and pass it's rules trough subnet rules to finally refuse the connection with a Client host rejected: Access denied We can see that there an request to saslauthd xsasl_cyrus_server_create: SASL service=smtp, realm=(null) but i did not really understand what is means.. I'm using saslauthd trough LDAP to perform credentials checking and postfix 2.8.0 Where i'm wrong ?? When using testssaslauthd -- testsaslauthd -u david.touzeau -p secret -f /var/run/saslauthd/mux -s smtp 0: OK Success. Content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 log_level: 5 master.cf -- smtpinetn - n - - smtpd submission inetn - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtp_generic_maps= -o sender_canonical_maps= Here it is a piece of debug logs : -- Debug logs should not be required to solve SASL issues. Please include the output of postconf -n and the normal postfix logs for the observed behaviour, as described in: http://www.postfix.org/DEBUG_README.html#mail -- J.
Re: submission port : Client host rejected: Access denied
On Sun, 06 Mar 2011 13:18:02 +0100 David Touzeau da...@touzeau.eu articulated: dear i would like to use submission port for authenticate users from internet allowing them to the postfix smtpd server For testing purpose, i have set a network different from the LAN to be sure that postfix allow SASL connections but it seems that postfix did not want to test the authentication method and pass it's rules trough subnet rules to finally refuse the connection with a Client host rejected: Access denied We can see that there an request to saslauthd xsasl_cyrus_server_create: SASL service=smtp, realm=(null) but i did not really understand what is means.. I'm using saslauthd trough LDAP to perform credentials checking and postfix 2.8.0 Where i'm wrong ?? When using testssaslauthd -- testsaslauthd -u david.touzeau -p secret -f /var/run/saslauthd/mux -s smtp 0: OK Success. Content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 log_level: 5 master.cf -- smtp inetn - n - - smtpd submission inetn - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtp_generic_maps= -o sender_canonical_maps= Here it is a piece of debug logs : -- Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null) Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: name_mask: noanonymous Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: start interval Mar 6 13:45:02 Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: address lookup hits=5 miss=2 success=71% Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: max simultaneous domains=0 addresses=1 connection=2 Mar 6 13:48:40 bigfiles postfix/postfix-script[22489]: stopping the Postfix mail system Mar 6 13:48:40 bigfiles postfix/master[2548]: terminating on signal 15 Mar 6 13:48:40 bigfiles postfix/postfix-script[22571]: starting the Postfix mail system Mar 6 13:48:40 bigfiles postfix/master[22572]: daemon started -- version 2.8.0, configuration /etc/postfix Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: ipv4 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: inet_addr_local: configured 3 IPv4 addresses Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: process generation: 3 (3) Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? permit_mx_backup_networks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? qmqpd_authorized_clients Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? relay_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/relay_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/canonical Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/virtual Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: smtpd_access_maps ~?
Re: submission port : Client host rejected: Access denied
Le dimanche 06 mars 2011 à 13:58 +0100, Jeroen Geilman a écrit :
On 03/06/2011 01:18 PM, David Touzeau wrote:
dear
i would like to use submission port for authenticate users from internet
allowing them to the postfix smtpd server
For testing purpose, i have set a network different from the LAN to be
sure that postfix allow SASL connections
but it seems that postfix did not want to test the authentication method
and pass it's rules trough subnet rules to finally refuse the connection
with a Client host rejected: Access denied
We can see that there an request to saslauthd
xsasl_cyrus_server_create: SASL service=smtp, realm=(null) but i did
not really understand what is means..
I'm using saslauthd trough LDAP to perform credentials checking and
postfix 2.8.0
Where i'm wrong ??
When using testssaslauthd
--
testsaslauthd -u david.touzeau -p secret -f /var/run/saslauthd/mux -s
smtp
0: OK Success.
Content of /etc/postfix/sasl/smtpd.conf
--
pwcheck_method: saslauthd
mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5
log_level: 5
master.cf
--
smtpinetn - n - - smtpd
submission inetn - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtp_generic_maps=
-o sender_canonical_maps=
Here it is a piece of debug logs :
--
Debug logs should not be required to solve SASL issues.
Please include the output of postconf -n and the normal postfix logs for
the observed behaviour, as described in:
http://www.postfix.org/DEBUG_README.html#mail
Thanks Jeroen
Here it is information requested
postconf -n
--
2bounce_notice_recipient = postmaster
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_poll_count = 3
address_verify_poll_delay = 3s
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_sender = $double_bounce_sender
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
biff = no
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
bounce_service_name = bounce
bounce_size_limit = 5
bounce_template_file = /etc/postfix/bounce.template.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
connection_cache_status_update_time = 600s
connection_cache_ttl_limit = 2s
content_filter =
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 20
default_destination_recipient_limit = 50
default_process_limit = 100
delay_notice_recipient = david.touz...@touzeau.com
delay_warning_time = 1h
disable_dns_lookups = no
disable_mime_output_conversion = no
disable_vrfy_command = yes
double_bounce_sender = double-bounce
empty_address_recipient = david.touz...@touzeau.com
enable_original_recipient = yes
error_notice_recipient = david.touz...@touzeau.com
header_address_token_limit = 10240
header_checks =
html_directory = /usr/share/doc/packages/postfix-doc/html
ignore_mx_lookup_error = no
in_flow_delay = 1s
inet_interfaces = all
inet_protocols = ipv4
initial_destination_concurrency = 5
lmtp_sasl_auth_enable = no
local_destination_concurrency_limit = 2
local_recipient_maps =
luser_relay =
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_size_limit = 10240
mailbox_transport =
lmtp:unix:/var/spool/postfix/var/run/cyrus/socket/lmtp
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_exceptions = root
master_service_disable =
maximal_backoff_time = 4000s
maximal_queue_lifetime = 5d
message_size_limit = 10240
message_strip_characters = \0
milter_command_timeout = 180
milter_connect_macros = j _ {daemon_name} {if_name} {if_addr}
{client_name} {client_addr} {client_resolve} {client_ptr}
milter_connect_timeout = 180
milter_content_timeout = 600
milter_default_action = accept
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject}
{cert_issuer}
milter_mail_macros = i {auth_type} {auth_authen} {auth_ssf}
{auth_author} {mail_mailer} {mail_host} {mail_addr} {client_addr}
{if_addr}
milter_protocol = 6
milter_rcpt_macros = {rcpt_mailer} {rcpt_host} {rcpt_addr} {client_addr}
{if_addr}
mime_header_checks =
mime_nesting_limit = 100
minimal_backoff_time = 300s
multi_instance_directories =
Re: submission port : Client host rejected: Access denied
Le dimanche 06 mars 2011 à 07:58 -0500, Jerry a écrit : On Sun, 06 Mar 2011 13:18:02 +0100 David Touzeau da...@touzeau.eu articulated: dear i would like to use submission port for authenticate users from internet allowing them to the postfix smtpd server For testing purpose, i have set a network different from the LAN to be sure that postfix allow SASL connections but it seems that postfix did not want to test the authentication method and pass it's rules trough subnet rules to finally refuse the connection with a Client host rejected: Access denied We can see that there an request to saslauthd xsasl_cyrus_server_create: SASL service=smtp, realm=(null) but i did not really understand what is means.. I'm using saslauthd trough LDAP to perform credentials checking and postfix 2.8.0 Where i'm wrong ?? When using testssaslauthd -- testsaslauthd -u david.touzeau -p secret -f /var/run/saslauthd/mux -s smtp 0: OK Success. Content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 log_level: 5 master.cf -- smtpinetn - n - - smtpd submissioninetn - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtp_generic_maps= -o sender_canonical_maps= Here it is a piece of debug logs : -- Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null) Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: name_mask: noanonymous Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: start interval Mar 6 13:45:02 Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: address lookup hits=5 miss=2 success=71% Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: max simultaneous domains=0 addresses=1 connection=2 Mar 6 13:48:40 bigfiles postfix/postfix-script[22489]: stopping the Postfix mail system Mar 6 13:48:40 bigfiles postfix/master[2548]: terminating on signal 15 Mar 6 13:48:40 bigfiles postfix/postfix-script[22571]: starting the Postfix mail system Mar 6 13:48:40 bigfiles postfix/master[22572]: daemon started -- version 2.8.0, configuration /etc/postfix Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: ipv4 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: inet_addr_local: configured 3 IPv4 addresses Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: process generation: 3 (3) Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? permit_mx_backup_networks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? qmqpd_authorized_clients Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? relay_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/relay_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/canonical Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar
Re: submission port : Client host rejected: Access denied
* Jeroen Geilman jer...@adaptr.nl: On 03/06/2011 01:18 PM, David Touzeau wrote: dear i would like to use submission port for authenticate users from internet allowing them to the postfix smtpd server For testing purpose, i have set a network different from the LAN to be sure that postfix allow SASL connections but it seems that postfix did not want to test the authentication method and pass it's rules trough subnet rules to finally refuse the connection with a Client host rejected: Access denied We can see that there an request to saslauthd xsasl_cyrus_server_create: SASL service=smtp, realm=(null) but i did not really understand what is means.. I'm using saslauthd trough LDAP to perform credentials checking and postfix 2.8.0 Where i'm wrong ?? When using testssaslauthd -- testsaslauthd -u david.touzeau -p secret -f /var/run/saslauthd/mux -s smtp 0: OK Success. You are testing as user root, right? Content of /etc/postfix/sasl/smtpd.conf Postfix runs as user postfix. Blind guess: Your postfix user is not member of the sasl group. Check using id postfix. If it doesn't list postfix, then add postfix to group sasl and restart postfix: % adduser postfix sasl % postfix reload Second blind guess: /etc/default/saslauthd places the saslauthd socket outside of Postfix chroot (you are running Postfix chrooted as your master.cf shows below). Enable/uncommend the line at the bottom of /etc/default/saslauthd: # OPTIONS=-c -m /var/spool/postfix/var/run/saslauthd Then comment the OPTIONS line above and restart saslauthd. p@rick master.cf -- smtp inetn - n - - smtpd submission inetn - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtp_generic_maps= -o sender_canonical_maps= Here it is a piece of debug logs : -- Debug logs should not be required to solve SASL issues. Please include the output of postconf -n and the normal postfix logs for the observed behaviour, as described in: http://www.postfix.org/DEBUG_README.html#mail -- J. -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: submission port : Client host rejected: Access denied
Le dimanche 06 mars 2011 à 16:08 +0100, DTNX/NGMX Postmaster a écrit : Jona Many thanks jona smtpd_delay_reject = yes fix the issue
Re: submission port : Client host rejected: Access denied
On 3/6/2011 9:08 AM, DTNX/NGMX Postmaster wrote: On 6 mrt 2011, at 15:08, David Touzeau wrote: but it seems that postfix did not want to test the authentication method and pass it's rules trough subnet rules to finally refuse the connection with a Client host rejected: Access denied [snip] smtpd_delay_reject = no http://www.postfix.org/postconf.5.html#smtpd_delay_reject Here, most likely. Ran into something very similar last week, and this was the cause. Yes. I suspect that if you were to increase logging detail, you'd find that 'permit_sasl_authenticated' evaluates to zero during the client restrictions stage because of a delay in getting back an answer from whatever SASL backend you have in use. Postfix evaluates the rest of the client restrictions, and denies you access. No. The SASL authentication happens after CONNECT and HELO, before MAIL FROM. With smtpd_delay_reject = no, and smtpd_client_restrictions = permit_sasl_authenticated, reject you're checking for sasl authentication before the authentication ever has a chance to take place. This has nothing to do with what you're using for a sasl backend, because the backend is never consulted. Just another good reason to not muck with the defaults. -- Noel Jones
