Nick Sharp wrote:
>> -----Original Message-----
>> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
>> us...@postfix.org] On Behalf Of Brian Evans - Postfix List
>> Sent: Tuesday, August 04, 2009 12:30 AM
>> To: Postfix users
>> Subject: Re: allow sasl authenticated on submission port and bypass rbl
>>
>> Nick Sharp wrote:
>>
>>> Sorry, was referring to the same log in my previous email, but didn't
>>> consider people may not always have that handy..
>>>
>>> Aug 3 22:08:27 mail1 postfix/smtpd[25798]: NOQUEUE: reject: CONNECT
>>>
>> from
>>
>>> unknown[58.171.194.208]: 554 5.7.1 <unknown[58.171.194.208]>: Client
>>>
>> host
>>
>>> rejected: Access denied; proto=SMTP
>>>
>>>
>> This transaction did not have a SASL auth that was successful.
>> Therefore, any permit_sasl_authenticated will not work.
>>
>> All log entries where SASL is successful, in smtpd, will have
>> "sasl_username=" and "sasl_method=" defined
>>
>>
>
> Ok, with smtpd_tls_security_level=encrypt as recommended, AUTH wasn't
> offered and therefore wouldn't match permit_sasl_authenticated. I got that
> going by changing encrypt to may and it now shows when I telnet..
>
> 250-PIPELINING
> 250-SIZE 26214400
> 250-ETRN
> 250-STARTTLS
> 250-AUTH DIGEST-MD5 CRAM-MD5
> 250-AUTH=DIGEST-MD5 CRAM-MD5
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
>
> Now if I have -o
> smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
> in the submission bit in master.cf, the connect immediately rejects unless
> matching mynetworks, still not giving a chance to do SASL..
>
> Any ideas why this would be?
>
> The nearest I can get is accept email to my domains with TLS, with or
> without AUTH, or block you from even negotiating AUTH? There is no middle
> ground it seems (or more I am missing it! :)
>
This is because you changed "smtpd_delay_reject = no" from it's default
to Yes.
The client is not given a chance to AUTH with this setting.
