On Tue, Oct 22, 2024 at 06:53:03PM -0600, James Feeney via Postfix-users wrote:
> > It does not give permission to relay. An SMTP client still has to
> > SASL authentication before they have "permit_sasl_authenticated"
> > privileges.
>
> And, the reverse. An SMTP client also *has* to have relay privileges,
> such as "permit_sasl_authenticated" or "permit_mynetworks", otherwise,
> "smtpd_sasl_auth_enable" is useless.
SASL authentication is of course useful only if authenticated users have
greater (or at least different) permissions than unauthenticated users.
In written works about security one often runs into the acronym "AAA",
which stands for:
1. Authentication
2. Authorisation
3. Auditing
>From that perspective, "smtpd_sasl_auth_enable" supports authentication,
but authentication alone does not and should not subsume authorisation,
one still needs to specify who's allowed to do what (some form of access
control lists).
For authorisation, you can use combinations of various primitives, such
as "permit_sasl_authenticated", "check_sasl_access",
"reject_sender_login_mismatch", ... to grant or restrict access to
relaying, use of specific envelope sender addresses, restrict delivery
to particular recipients, ...
And finally, the Postfix logs provide an audit trail.
> > With Postfix 2.9 and later, master.cf is configured so that a Postfix
> > submission-like SMTP server logs its name as:
> >
> > postfix/submission/smtpd
> > postfix/submissions/smtpd
> > postfix/smtps/smtpd
> >
>
> And that note in the log message is useless when the authentication
> failure is actually caused by not having relay privileges. It's the
> same log message, for either cause, and the user cannot tell the
> difference, whether the cause is a SASL configuration problem or a
> postfix configuration problem.
The above is of course nonsense, not having relay access is an
*authorisation* failure, not an authentication failure. Whether
the client is authenticated or not is logged at the start of
the mail transaction, along with the queue id:
Oct 20 15:12:48 amnesiac postfix/submission/smtpd[900561]: A847C92B6EF:
client=unknown[...], sasl_method=GSSAPI, sasl_username=viktor
On the other hand, When an authenticated sender or recipient is rejected
prior to queue file allocation, the logs show:
Oct 23 14:19:04 amnesiac postfix/submission/smtpd[1067080]: NOQUEUE:
reject: RCPT from ...: 550 5.1.1 <postfix-us...@dukhovni.org>:
Recipient address rejected: Surely you jest;
from=<presid...@whitehouse.gov> to=<postfix-us...@dukhovni.org>
proto=ESMTP helo=<smtpclient.apple>
Oct 23 14:19:04 amnesiac postfix/submission/smtpd[1067080]:
disconnect from ... ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 quit=1
commands=6/7
and this does not include the "sasl_username", though at the end of the
connection (after collating the logs) we see that there was a successful
"auth" command.
It is perhaps reasonable as a feature request to ask for the
"sasl_username" also be logged when rejecting SMTP commands from
authenticated users. For example, with the below patch, you'd get:
Oct 23 14:49:05 amnesiac postfix/submission/smtpd[1071938]: NOQUEUE:
reject: RCPT from ...: 550 5.1.1 <postfix-us...@dukhovni.org>:
Recipient address rejected: Surely you jest;
from=<presid...@whitehouse.gov> to=<postfix-us...@dukhovni.org>
proto=ESMTP
helo=<smtpclient.apple> sasl_method=GSSAPI sasl_username=viktor
Oct 23 14:49:05 amnesiac postfix/submission/smtpd[1071938]:
disconnect from ... ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 quit=1
commands=6/7
--- a/src/smtpd/smtpd_check.c
+++ b/src/smtpd/smtpd_check.c
@@ -1016,6 +1016,14 @@ void log_whatsup(SMTPD_STATE *state, const char
*whatsup,
vstring_sprintf_append(buf, " proto=%s", state->protocol);
if (state->helo_name)
vstring_sprintf_append(buf, " helo=<%s>", state->helo_name);
+#ifdef USE_SASL_AUTH
+ if (state->sasl_method)
+ vstring_sprintf_append(buf, " sasl_method=%s", state->sasl_method);
+ if (state->sasl_username)
+ vstring_sprintf_append(buf, " sasl_username=%s", state->sasl_username);
+ if (state->sasl_sender)
+ vstring_sprintf_append(buf, " sasl_sender=%s", state->sasl_sender);
+#endif
msg_info("%s", STR(buf));
vstring_free(buf);
}
--
VIktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
