James Feeney via Postfix-users: > If I am now understanding correctly: > > ==== > The "smtpd_sasl_auth_enable=yes" configuration parameter for > accessing "smtpd submissions", in master.cf, is *entirely distinct* > from the "smtpd_relay_restrictions = permit_sasl_authenticated" > configuration parameter,
I don't see "entirely" or "distinct" in Postfix SASL documentation. Here is the relationship: 1) smtpd_relay_restrictions grants relay permission. 2) "smtpd_relay_restrictions = permit_sasl_authenticated" requires that an SMTP client uses SASL authentication. 3) permit_sasl_authenticated requires that SASL authentication is enabled with "smtpd_sasl_auth_enable=yes". > Since I was rather confused on this point, and confused by the log > message - checking and rechecking the SASL configuration, in > futility - other people might be as well. > > Perhaps a bold print "Important" notice with the above text, or > something similar, could be added to > https://www.postfix.org/SASL_README.html under the section "Enabling > SASL authorization in the Postfix SMTP server". As the title says, this enables SASL authentication and authorization. It does not give permission to relay. An SMTP client still has to SASL authentication before they have "permit_sasl_authenticated" privileges. > And/or, the log message could be made in stages, to distinguish > explicitly whether the failure occurred with the master.cf "smtpd > submissions" check or with the main.cf "smtp relay" check. With Postfix 2.9 and later, master.cf is configured so that a Postfix submission-like SMTP server logs its name as: postfix/submission/smtpd postfix/submissions/smtpd postfix/smtps/smtpd That includes the logging where a submission-like SMTP server rejects relay permission. > I know this may seem obvious in retrospect, and the SASL_README already says > explicitly - though without emphasis - that: > ---- > After the client has authenticated with SASL, the Postfix SMTP server > decides what the remote SMTP client will be authorized for. ... These > permissions are not enabled by default. > ---- > that language, to my mind, does not really convey the significance > of this configuration parameter in main.cf, *in addition to* the > configuration in master.cf, or the frustrating consequence of > failing to configure this parameter properly. It is not unusual that the use of featrure X (in this case, permit_sasl_authenticated or reject sender_login_mismatch) requires that the feature is first enabled (in this case with smtpd_sasl_auth_enable). Wietse _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
