On Tue, 2024-10-22 at 22:23 -0400, Wietse Venema via Postfix-users wrote: > > That is incorrect. Any SMTP client is allowed to send mail to > Postfix, but RELAYING is restricted with permit_mynetworks, > permit_sasl_authenticated, and the like. > > > And that note in the log message is useless when the authentication > > failure is actually caused by not having relay privileges. It's > > That is incorrect. Relay privileges depend (through permit_mynetworks) > on SASL authentication. SASL authentication does not depend on relay > privileges.
Ok - sorry. You are correct. I am wrong. Looking back more carefully through the logs, I can only reflect that I must have been changing too many things at once, becoming impatient. And, I didn't read that part about PLAIN or LOGIN authentication ONLY until later - "Do not specify any other mechanisms in mech_list than PLAIN or LOGIN when using saslauthd!" Usually I read the instructions first - but sometimes I presume too much. SASL is way more complicated than it first appears. Still, perhaps you would consider adding a kind of "troubleshooting" section to the SASL_README, using log file examples, which would then be indexed by Google and other search engines? I have compiled examples here of: 1) a SASL misconfiguration, 2) an MUA misconfiguration, 3) a Postfix misconfiguration, and 4) a Working configuration. These illustrate three parts needed to send email with SASL submissions: a) TLS, b) SASL, c) Relay. After first establishing a TLS connection: postfix/submissions/smtpd[1339911]: connect from _gateway[192.168.2.10] postfix/submissions/smtpd[1339911]: Anonymous TLS connection established from _gateway[192.168.2.10]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange SASL Problem: postfix/submissions/smtpd[1269377]: warning: SASL authentication failure: Password verification failed postfix/submissions/smtpd[1269377]: warning: _gateway[192.168.2.10]: SASL PLAIN authentication failed: authentication failure, sasl_username=b...@example.com MUA Problem? - Postfix only supports PLAIN and LOGIN authentication when using saslauthd: postfix/submissions/smtpd[1261813]: warning: SASL authentication failure: client response doesn't match what we generated (tried bogus) postfix/submissions/smtpd[1261813]: warning: _gateway[192.168.2.10]: SASL DIGEST-MD5 authentication failed: authentication failure, sasl_username=b...@example.com postfix/submissions/smtpd[1262013]: warning: SASL authentication failure: incorrect digest response postfix/submissions/smtpd[1262013]: warning: _gateway[192.168.2.10]: SASL CRAM-MD5 authentication failed: authentication failure, sasl_username=b...@example.com Postfix Problem: postfix/submissions/smtpd[1494426]: NOQUEUE: reject: RCPT from _gateway[192.168.2.10]: 554 5.7.1 <al...@gmail.com>: Relay access denied; from=<b...@example.com> to=<al...@gmail.com> proto=ESMTP helo=<[192.168.2.10]> Working Configuration: postfix/submissions/smtpd[1339911]: A3902CA33A2: client=_gateway[192.168.2.10], sasl_method=PLAIN, sasl_username=b...@example.com James _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
