On Sun, Jun 22, 2025 at 09:40:41AM -0400, Wietse Venema via Postfix-users wrote:
> Matthew via Postfix-users:
> > Hi Viktor,
> >
> > I think it is more:
> >
> > 1. "reject_unauthenticated_sender_login_mismatch" implies to a
> > reasonable person that "unauthenticated senders" for our trusted domains
> > would be rejected (not logging in is a form of login mismatch).
>
> reject_unauthenticated_sender_login_mismatch
> Reject the request when SASL is enabled, the MAIL FROM address
> is listed in $smtpd_sender_login_maps, but the client is not au?
> thenticated with SASL.
>
> SASL was NOT enabled, therefore none of the above 'protection'
> applies. I don't see how one could read it in any other way.
I agree this is pretty clear, though users grasping at straws to find a
conjectured feature will sometimes see what they'd like to see, and not
what's written. With some effort it may be possible to say the same
thing in a few different ways, amplify the contrapositive, ... But that
takes more resources than available to a small volunteer project.
One thing the OP said is perhaps a general misconception, that could,
FWIW, be written down a bit more explicitly, though unlikely to help
prevent misunderstandings, because unlikely to be read. Rather it
may be helpful after the fact, to help some see the light with the
benefit of experience and hindsight.
What I am talking about is the comment about the meaning "when SASL is
enabled", as possibly applying to SASL being enabled somewhere else
in Postfix, rather than the smtpd(8) service that is processing the
restriction. This is the sort of fundamental misunderstanding of
the system architecture that also leads some users to send smtp(8)
parameter overrides in an smtpd(8) listener and expect these to
affect later delivery of the incoming message.
There are is no such control channel in Postfix. Each service has its
own private view of the configuration, mostly from compile-time
defaults, with some taken in order of increasing priority from main.cf,
and master.cf "-o key=value" overrides.
Just a few message-level properties like DSN info and any content_filter
configured for smtpd(8) or pickup(8) are recorded in the queue file and
affect some downstream behaviour, but never downstream configuration.
There is certainly no interaction between separate SMTP listeners
(port 25 MTA and submission services).
Explaing this is subject matter for a book more than it for reference
docs that users skim. But most users have not and will not read a
Postfix book. So naïve misconceptions of the architecture are probably
unavoidable.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
