On Tue, 2024-10-22 at 15:30 -0400, Wietse Venema via Postfix-users wrote: > James Feeney via Postfix-users: > > If I am now understanding correctly: > > > > ==== > > The "smtpd_sasl_auth_enable=yes" configuration parameter for > > accessing "smtpd submissions", in master.cf, is *entirely distinct* > > from the "smtpd_relay_restrictions = permit_sasl_authenticated" > > configuration parameter, > > I don't see "entirely" or "distinct" in Postfix SASL documentation. >
Yeah. That's a problem with the SASL_README, where it fails to really bring-out this issue. > > > Since I was rather confused on this point, and confused by the log > > message - checking and rechecking the SASL configuration, in > > futility - other people might be as well. > > > > Perhaps a bold print "Important" notice with the above text, or > > something similar, could be added to > > https://www.postfix.org/SASL_README.html under the section "Enabling > > SASL authorization in the Postfix SMTP server". > > As the title says, this enables SASL authentication and authorization. > It does not give permission to relay. An SMTP client still has to > SASL authentication before they have "permit_sasl_authenticated" > privileges. > And, the reverse. An SMTP client also *has* to have relay privileges, such as "permit_sasl_authenticated" or "permit_mynetworks", otherwise, "smtpd_sasl_auth_enable" is useless. That is the point here. Maybe I was not being clear about this? Of course, the "client" in this case is actually not an "smtp client", on port 25, when it is instead a "submissions client". on port 465. > > > With Postfix 2.9 and later, master.cf is configured so that a Postfix > submission-like SMTP server logs its name as: > > postfix/submission/smtpd > postfix/submissions/smtpd > postfix/smtps/smtpd > And that note in the log message is useless when the authentication failure is actually caused by not having relay privileges. It's the same log message, for either cause, and the user cannot tell the difference, whether the cause is a SASL configuration problem or a postfix configuration problem. James _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
