Re: submission port : Client host rejected: Access denied
On Sun, Mar 06, 2011 at 02:20:19PM +0100, David Touzeau wrote: Thanks Jeroen Here it is information requested postconf -n Yikes. I didn't read through all of that, but I'm sure you have gone way overboard in changing (or perhaps, restating) default settings. Jeroen would say, if your postconf -n is more than 30 lines, you are either an expert, or you have done it all wrong. :) Consider starting over with a simple config. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: submission port : Client host rejected: Access denied
On 6 mrt 2011, at 22:34, Noel Jones wrote: On 3/6/2011 9:08 AM, DTNX/NGMX Postmaster wrote: I suspect that if you were to increase logging detail, you'd find that 'permit_sasl_authenticated' evaluates to zero during the client restrictions stage because of a delay in getting back an answer from whatever SASL backend you have in use. Postfix evaluates the rest of the client restrictions, and denies you access. No. The SASL authentication happens after CONNECT and HELO, before MAIL FROM. With smtpd_delay_reject = no, and smtpd_client_restrictions = permit_sasl_authenticated, reject you're checking for sasl authentication before the authentication ever has a chance to take place. This has nothing to do with what you're using for a sasl backend, because the backend is never consulted. Just another good reason to not muck with the defaults. Hmm, I must be remembering it wrong then, because that makes perfect sense. Or I interpreted the logging data incorrectly, which is not impossible either. Anyway, thanks for the correction. Cya, Jona
submission port : Client host rejected: Access denied
dear i would like to use submission port for authenticate users from internet allowing them to the postfix smtpd server For testing purpose, i have set a network different from the LAN to be sure that postfix allow SASL connections but it seems that postfix did not want to test the authentication method and pass it's rules trough subnet rules to finally refuse the connection with a Client host rejected: Access denied We can see that there an request to saslauthd xsasl_cyrus_server_create: SASL service=smtp, realm=(null) but i did not really understand what is means.. I'm using saslauthd trough LDAP to perform credentials checking and postfix 2.8.0 Where i'm wrong ?? When using testssaslauthd -- testsaslauthd -u david.touzeau -p secret -f /var/run/saslauthd/mux -s smtp 0: OK Success. Content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 log_level: 5 master.cf -- smtpinetn - n - - smtpd submission inetn - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtp_generic_maps= -o sender_canonical_maps= Here it is a piece of debug logs : -- Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null) Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: name_mask: noanonymous Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: start interval Mar 6 13:45:02 Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: address lookup hits=5 miss=2 success=71% Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: max simultaneous domains=0 addresses=1 connection=2 Mar 6 13:48:40 bigfiles postfix/postfix-script[22489]: stopping the Postfix mail system Mar 6 13:48:40 bigfiles postfix/master[2548]: terminating on signal 15 Mar 6 13:48:40 bigfiles postfix/postfix-script[22571]: starting the Postfix mail system Mar 6 13:48:40 bigfiles postfix/master[22572]: daemon started -- version 2.8.0, configuration /etc/postfix Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: ipv4 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: inet_addr_local: configured 3 IPv4 addresses Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: process generation: 3 (3) Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? permit_mx_backup_networks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? qmqpd_authorized_clients Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? relay_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/relay_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/canonical Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/virtual Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: smtpd_access_maps ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: smtpd_access_maps ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
Re: submission port : Client host rejected: Access denied
On 03/06/2011 01:18 PM, David Touzeau wrote: dear i would like to use submission port for authenticate users from internet allowing them to the postfix smtpd server For testing purpose, i have set a network different from the LAN to be sure that postfix allow SASL connections but it seems that postfix did not want to test the authentication method and pass it's rules trough subnet rules to finally refuse the connection with a Client host rejected: Access denied We can see that there an request to saslauthd xsasl_cyrus_server_create: SASL service=smtp, realm=(null) but i did not really understand what is means.. I'm using saslauthd trough LDAP to perform credentials checking and postfix 2.8.0 Where i'm wrong ?? When using testssaslauthd -- testsaslauthd -u david.touzeau -p secret -f /var/run/saslauthd/mux -s smtp 0: OK Success. Content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 log_level: 5 master.cf -- smtpinetn - n - - smtpd submission inetn - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtp_generic_maps= -o sender_canonical_maps= Here it is a piece of debug logs : -- Debug logs should not be required to solve SASL issues. Please include the output of postconf -n and the normal postfix logs for the observed behaviour, as described in: http://www.postfix.org/DEBUG_README.html#mail -- J.
Re: submission port : Client host rejected: Access denied
On Sun, 06 Mar 2011 13:18:02 +0100 David Touzeau da...@touzeau.eu articulated: dear i would like to use submission port for authenticate users from internet allowing them to the postfix smtpd server For testing purpose, i have set a network different from the LAN to be sure that postfix allow SASL connections but it seems that postfix did not want to test the authentication method and pass it's rules trough subnet rules to finally refuse the connection with a Client host rejected: Access denied We can see that there an request to saslauthd xsasl_cyrus_server_create: SASL service=smtp, realm=(null) but i did not really understand what is means.. I'm using saslauthd trough LDAP to perform credentials checking and postfix 2.8.0 Where i'm wrong ?? When using testssaslauthd -- testsaslauthd -u david.touzeau -p secret -f /var/run/saslauthd/mux -s smtp 0: OK Success. Content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 log_level: 5 master.cf -- smtp inetn - n - - smtpd submission inetn - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtp_generic_maps= -o sender_canonical_maps= Here it is a piece of debug logs : -- Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null) Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: name_mask: noanonymous Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: start interval Mar 6 13:45:02 Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: address lookup hits=5 miss=2 success=71% Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: max simultaneous domains=0 addresses=1 connection=2 Mar 6 13:48:40 bigfiles postfix/postfix-script[22489]: stopping the Postfix mail system Mar 6 13:48:40 bigfiles postfix/master[2548]: terminating on signal 15 Mar 6 13:48:40 bigfiles postfix/postfix-script[22571]: starting the Postfix mail system Mar 6 13:48:40 bigfiles postfix/master[22572]: daemon started -- version 2.8.0, configuration /etc/postfix Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: ipv4 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: inet_addr_local: configured 3 IPv4 addresses Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: process generation: 3 (3) Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? permit_mx_backup_networks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? qmqpd_authorized_clients Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? relay_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/relay_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/canonical Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/virtual Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: smtpd_access_maps ~?
Re: submission port : Client host rejected: Access denied
Le dimanche 06 mars 2011 à 13:58 +0100, Jeroen Geilman a écrit : On 03/06/2011 01:18 PM, David Touzeau wrote: dear i would like to use submission port for authenticate users from internet allowing them to the postfix smtpd server For testing purpose, i have set a network different from the LAN to be sure that postfix allow SASL connections but it seems that postfix did not want to test the authentication method and pass it's rules trough subnet rules to finally refuse the connection with a Client host rejected: Access denied We can see that there an request to saslauthd xsasl_cyrus_server_create: SASL service=smtp, realm=(null) but i did not really understand what is means.. I'm using saslauthd trough LDAP to perform credentials checking and postfix 2.8.0 Where i'm wrong ?? When using testssaslauthd -- testsaslauthd -u david.touzeau -p secret -f /var/run/saslauthd/mux -s smtp 0: OK Success. Content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 log_level: 5 master.cf -- smtpinetn - n - - smtpd submission inetn - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtp_generic_maps= -o sender_canonical_maps= Here it is a piece of debug logs : -- Debug logs should not be required to solve SASL issues. Please include the output of postconf -n and the normal postfix logs for the observed behaviour, as described in: http://www.postfix.org/DEBUG_README.html#mail Thanks Jeroen Here it is information requested postconf -n -- 2bounce_notice_recipient = postmaster address_verify_negative_cache = yes address_verify_negative_expire_time = 3d address_verify_negative_refresh_time = 3h address_verify_poll_count = 3 address_verify_poll_delay = 3s address_verify_positive_expire_time = 31d address_verify_positive_refresh_time = 7d address_verify_sender = $double_bounce_sender alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases biff = no bounce_notice_recipient = postmaster bounce_queue_lifetime = 5d bounce_service_name = bounce bounce_size_limit = 5 bounce_template_file = /etc/postfix/bounce.template.cf broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix connection_cache_status_update_time = 600s connection_cache_ttl_limit = 2s content_filter = daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 default_destination_concurrency_limit = 20 default_destination_recipient_limit = 50 default_process_limit = 100 delay_notice_recipient = david.touz...@touzeau.com delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = no disable_vrfy_command = yes double_bounce_sender = double-bounce empty_address_recipient = david.touz...@touzeau.com enable_original_recipient = yes error_notice_recipient = david.touz...@touzeau.com header_address_token_limit = 10240 header_checks = html_directory = /usr/share/doc/packages/postfix-doc/html ignore_mx_lookup_error = no in_flow_delay = 1s inet_interfaces = all inet_protocols = ipv4 initial_destination_concurrency = 5 lmtp_sasl_auth_enable = no local_destination_concurrency_limit = 2 local_recipient_maps = luser_relay = mail_owner = postfix mail_spool_directory = /var/mail mailbox_size_limit = 10240 mailbox_transport = lmtp:unix:/var/spool/postfix/var/run/cyrus/socket/lmtp mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_exceptions = root master_service_disable = maximal_backoff_time = 4000s maximal_queue_lifetime = 5d message_size_limit = 10240 message_strip_characters = \0 milter_command_timeout = 180 milter_connect_macros = j _ {daemon_name} {if_name} {if_addr} {client_name} {client_addr} {client_resolve} {client_ptr} milter_connect_timeout = 180 milter_content_timeout = 600 milter_default_action = accept milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer} milter_mail_macros = i {auth_type} {auth_authen} {auth_ssf} {auth_author} {mail_mailer} {mail_host} {mail_addr} {client_addr} {if_addr} milter_protocol = 6 milter_rcpt_macros = {rcpt_mailer} {rcpt_host} {rcpt_addr} {client_addr} {if_addr} mime_header_checks = mime_nesting_limit = 100 minimal_backoff_time = 300s multi_instance_directories =
Re: submission port : Client host rejected: Access denied
Le dimanche 06 mars 2011 à 07:58 -0500, Jerry a écrit : On Sun, 06 Mar 2011 13:18:02 +0100 David Touzeau da...@touzeau.eu articulated: dear i would like to use submission port for authenticate users from internet allowing them to the postfix smtpd server For testing purpose, i have set a network different from the LAN to be sure that postfix allow SASL connections but it seems that postfix did not want to test the authentication method and pass it's rules trough subnet rules to finally refuse the connection with a Client host rejected: Access denied We can see that there an request to saslauthd xsasl_cyrus_server_create: SASL service=smtp, realm=(null) but i did not really understand what is means.. I'm using saslauthd trough LDAP to perform credentials checking and postfix 2.8.0 Where i'm wrong ?? When using testssaslauthd -- testsaslauthd -u david.touzeau -p secret -f /var/run/saslauthd/mux -s smtp 0: OK Success. Content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 log_level: 5 master.cf -- smtpinetn - n - - smtpd submissioninetn - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtp_generic_maps= -o sender_canonical_maps= Here it is a piece of debug logs : -- Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null) Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: name_mask: noanonymous Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: start interval Mar 6 13:45:02 Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: address lookup hits=5 miss=2 success=71% Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: max simultaneous domains=0 addresses=1 connection=2 Mar 6 13:48:40 bigfiles postfix/postfix-script[22489]: stopping the Postfix mail system Mar 6 13:48:40 bigfiles postfix/master[2548]: terminating on signal 15 Mar 6 13:48:40 bigfiles postfix/postfix-script[22571]: starting the Postfix mail system Mar 6 13:48:40 bigfiles postfix/master[22572]: daemon started -- version 2.8.0, configuration /etc/postfix Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: ipv4 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: inet_addr_local: configured 3 IPv4 addresses Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: process generation: 3 (3) Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? permit_mx_backup_networks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? qmqpd_authorized_clients Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: relay_domains ~? relay_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/relay_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? debug_peer_list Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? fast_flush_domains Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? mynetworks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: hash:/etc/postfix/canonical Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley DB: 4.5.20? Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against Berkeley DB: 4.5.20? Mar
Re: submission port : Client host rejected: Access denied
* Jeroen Geilman jer...@adaptr.nl: On 03/06/2011 01:18 PM, David Touzeau wrote: dear i would like to use submission port for authenticate users from internet allowing them to the postfix smtpd server For testing purpose, i have set a network different from the LAN to be sure that postfix allow SASL connections but it seems that postfix did not want to test the authentication method and pass it's rules trough subnet rules to finally refuse the connection with a Client host rejected: Access denied We can see that there an request to saslauthd xsasl_cyrus_server_create: SASL service=smtp, realm=(null) but i did not really understand what is means.. I'm using saslauthd trough LDAP to perform credentials checking and postfix 2.8.0 Where i'm wrong ?? When using testssaslauthd -- testsaslauthd -u david.touzeau -p secret -f /var/run/saslauthd/mux -s smtp 0: OK Success. You are testing as user root, right? Content of /etc/postfix/sasl/smtpd.conf Postfix runs as user postfix. Blind guess: Your postfix user is not member of the sasl group. Check using id postfix. If it doesn't list postfix, then add postfix to group sasl and restart postfix: % adduser postfix sasl % postfix reload Second blind guess: /etc/default/saslauthd places the saslauthd socket outside of Postfix chroot (you are running Postfix chrooted as your master.cf shows below). Enable/uncommend the line at the bottom of /etc/default/saslauthd: # OPTIONS=-c -m /var/spool/postfix/var/run/saslauthd Then comment the OPTIONS line above and restart saslauthd. p@rick master.cf -- smtp inetn - n - - smtpd submission inetn - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtp_generic_maps= -o sender_canonical_maps= Here it is a piece of debug logs : -- Debug logs should not be required to solve SASL issues. Please include the output of postconf -n and the normal postfix logs for the observed behaviour, as described in: http://www.postfix.org/DEBUG_README.html#mail -- J. -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: submission port : Client host rejected: Access denied
Le dimanche 06 mars 2011 à 16:08 +0100, DTNX/NGMX Postmaster a écrit : Jona Many thanks jona smtpd_delay_reject = yes fix the issue
Re: submission port : Client host rejected: Access denied
On 3/6/2011 9:08 AM, DTNX/NGMX Postmaster wrote: On 6 mrt 2011, at 15:08, David Touzeau wrote: but it seems that postfix did not want to test the authentication method and pass it's rules trough subnet rules to finally refuse the connection with a Client host rejected: Access denied [snip] smtpd_delay_reject = no http://www.postfix.org/postconf.5.html#smtpd_delay_reject Here, most likely. Ran into something very similar last week, and this was the cause. Yes. I suspect that if you were to increase logging detail, you'd find that 'permit_sasl_authenticated' evaluates to zero during the client restrictions stage because of a delay in getting back an answer from whatever SASL backend you have in use. Postfix evaluates the rest of the client restrictions, and denies you access. No. The SASL authentication happens after CONNECT and HELO, before MAIL FROM. With smtpd_delay_reject = no, and smtpd_client_restrictions = permit_sasl_authenticated, reject you're checking for sasl authentication before the authentication ever has a chance to take place. This has nothing to do with what you're using for a sasl backend, because the backend is never consulted. Just another good reason to not muck with the defaults. -- Noel Jones