On 9/6/23 07:25, Richard Troy wrote:
The relaying only started and stopped when Dovecot was turned on or off.
Isn't it true that Dovecot performs an authentication function for
inbound connect requests, the successful of which then may use the
submission mechanism from what Postfix takes to be an internal
connection to send emails? Is this mistaken?
However, I get your point and I've spent a lot of work on that area.
And, you may well be right that that's where I need to turn - that is,
to Postfix. Thanks for the link.
The problem will likely be postfix.
However if your dovecot SASL is broken, say always permitting access
with or without correct password, then there will be a problem
This is part of my postfix configuration aand my system doesn't relay.
The key lines are all those with
permit_sasl_authenticated
---------------------------
relay_domains = $mydestination
unknown_local_recipient_reject_code = 550
unknown_client_reject_code = 550
#home_mailbox = Maildir/
mailbox_transport = lmtp:unix:private/dovecot-lmtp
#transport_maps = hash:/etc/postfix/transport
# Junk controls
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
# reject_rbl_client dnsbl-1.uceprotect.net
# reject_rbl_client cbl.abuseat.org
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_pipelining
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_unauth_destination
permit
# reject_rbl_client zen.spamhaus.org
# reject_rbl_client bl.spamcop.net
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unknown_sender_domain
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
# Redirect mail
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
# Reduce the time Postfix will sit idle after a client issues STARTTLS.
smtpd_starttls_timeout = 60s
# Renegotiate TLS sessions every hour.
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# Enable SMTP AUTH.
# This requires TLS on port 25
smtpd_sasl_auth_enable = yes
# Don't allow anonymous logins. DO NOT add noplaintext here, or
# authentication with saslauthd will become impossible.
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
# Some clients send malformed AUTH commands.
broken_sasl_auth_clients = yes
# Only allow AUTH when a TLS session is active, to reduce the
# possibility for password and message body snooping.
smtpd_tls_auth_only = yes
# Tarpitting
smtpd_error_sleep_time = 50
smtpd_hard_error_limit = 2
smtpd_soft_error_limit = 1
smtpd_junk_command_limit = 10
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
compatibility_level = 3.6
policy-spf_time_limit = 3600s
html_directory = /usr/share/doc/postfix/html
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
smtputf8_enable = no
postscreen_access_list = permit_mynetworks
postscreen_blacklist_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = swl.spamhaus.org*-4
list.dnswl.org=127.0.[0..255].[1..3]*-5
zen.spamhaus.org=127.0.[1..2].[0..255]*3
b.barracudacentral.org*2
bl.spameatingmonkey.net
bl.spamcop.net
postscreen_dnsbl_threshold = 2
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
--
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
