On Mon, Mar 11, 2024 at 1:09 AM Viktor Dukhovni via Postfix-users
<postfix-users@postfix.org> wrote:
> You've implemented smtpd_sender_login_maps and
> reject_sender_login_mismatch or an equivalent variant, but the entry
> for that sender address does list the actual SASL login used (which
> is shown in an earlier log entry for the same SMTP transaction).
Thank you Viktor!
So, the actual SASL login is "auser"? (which is what I've told gmail
to use to login)
> > I'm guessing that the issue is that postfix/dovecot sees only "auser"
> > and if instead it saw "au...@domain.name" it would work, but I
> > couldn't find any way to be able to login that way.
>
> No, the issue is the content of your sender login table.
My current guess is that the virtual or senderlogin files are wrong
and that's my problem...
These were my best guess as to what should be in those files, but I
doubt that's correct... but I don't know what it should be.
Sorry, I forgot to include the contents of my smtpd_sender_login_maps file:
# senderlogin
au...@domain.name auser
au...@machine.domain.name auser
And here's /etc/virtual (again, my best guess of what it should be)
# virtual
au...@domain.name au...@domain.name
aotheru...@domain.name au...@domain.name # in case I could have
anotheruser send as auser
auser au...@domain.name
> > (2) Postfix sends to gmail, but does not encrypt when sending.
>
> You need to enable outbound STARTTLS, possibly mandatory for
> "smtp.gmail.com", ideally even with certificate checks, to avoid leaking
> the account password in case of an MiTM attack. Is this submission
> traffic, or traffic to random gmail users?
I'd prefer that whenever possible, my emails get sent (directly from
this machine) encrypted. Sending to gmail is my test case since the
received email clearly says if it's not encrypted.
> Missing "smtp_tls_security_level = may". And if doing submission via
> GMail, ideally also a TLS policy table entry for "[smtp.gmail.com]:587",
> though it is not yet clear how you route mail to the GMail submission
> service.
(this server will send directly)
Ahhhhh.... I just literally forgot that smtp and smtpd are two
different directions :-)
And, it now does send encrypted to gmail. I haven't yet tested if it
can send unencrypted if need be, but I suspect that just adding the
correct smtp setting for "may" fixed it!. Thank you! That issue is now
fixed (cockpit error on my part!)
> This (combined with unposted definitions, postconf -Mf, of the
> submission services in master.cf) is the source of breakage in #1.
>...
> If you post also the "client=" log entry for the transaction of
> interest, the "postconf -Mf" output and the content of the sender login
> table, more help will be possible.
I don't see "client=" anywhere in the logs... but here's the "postconf
-Mf" after making the changes you suggested above:
smtp inet n - y - - smtpd
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_wrappermode=no
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=hash:/etc/virtual
-o smtpd_sender_restrictions=reject_sender_login_mismatch
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
