I had thought / hoped this might be a straightforward question that
would require only a pointer to the right place in the documentation
(and not need a full-fledged problem report). Sorry I was mistaken.
I'm attaching my output from "postconf -n", my "transport" file, and
my "sasl_password" file -- with a few superfluous and/or confidential
items edited. Again, my primary mail server (whodunit.richw.org) is
running Postfix 2.6.5.
My default relay host (www.richw.org, run by a web hosting service
that also offers e-mail service) demands per-sender authentication for
mail submission. I enabled sender-dependent SMTP authentication (via
"smtp_sender_dependent_authentication = yes" in main.cf, as described
in http://www.postfix.org/postconf.5.html) -- and I specified the
username / password information for each sender address in my SASL
password file (actually more than just the two shown here, but I hope
the two examples I'm showing here will suffice to illustrate).
So far, so good -- the above works just fine; mail goes out via the
relay host www.richw.org, and the authentication works.
Now, here's my problem. I want to be able to do special handling of
mail to a subdomain (sandals.richw.org). Mail for this subdomain
should be relayed via its own server (sandals.richw.org, as shown in
my "transport" file) -- and this alternate relay host should *not*
require any authentication.
But I soon found that my main server could not successfully send
anything to Sandals; outbound messages stuck in the queue displayed
errors like this (temporary error because of "soft_bounce = yes" on
Sandals):
83DED1C26DC 1878 Sat May 29 22:29:42 ri...@richw.org
(SASL authentication failed; server sandals.richw.org[10.0.229.117] said: 435
4.7.8 Error: authentication failed: authentication failure)
ri...@sandals.richw.org
and the "auth.log" file on Sandals showed the following:
May 29 22:29:42 sandals saslauthd[3389]: do_auth : auth failure:
[user=richw+richw.org] [service=smtp] [realm=] [mech=sasldb] [reason=Unknown]
It appears that my main server was attempting to give SASL username /
password information (originally intended to be given only to my main
relay, www.richw.org) to the Sandals relay server -- and since Sandals
was not configured to expect this info, authentication was failing.
I do understand, BTW, why Postfix is trying to authenticate to this
alternate relay host -- since I'm currently specifying authentication
in a sender-dependent fashion, it's matching the sender address and
deciding solely on that basis to send the username / password data
corresponding to that sender address. But this isn't what I want,
because I really want to do authentication only to my main relay host.
I can work around this problem by installing the authentication data
onto the Sandals server too. This way, the authentication data that
my server insists on sending is accepted by both relay hosts -- and
when I do this, everything works.
But what I would really prefer to do would be to have Postfix send my
sender-dependent SMTP authentication info *only* to my primary relay
server (www.richw.org), and send *no* authentication when relaying to
Sandals. Basically, I wish I could have authentication somehow be
based *both* on host *and* sender together.
However, I don't see any way to do this. It appears that I can do one
or the other -- either use the default per-host SMTP authentication (and
have one username / password for www.richw.org, and no authentication
for sandals.richw.org), or else use per-sender SMTP authentication (and
use different username / password data for each sender, but attempt to
authenticate identically to either server) -- but I apparently can *not*
have authentication dependent *both* on the relay host *and* the sender
e-mail address.
Any thoughts?
Rich Wales
ri...@richw.org
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
default_destination_concurrency_limit = 5
default_destination_recipient_limit = 1
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what]
blocked using $rbl_domain${rbl_reason?; $rbl_reason}; report problems to
richwales )at( gmail.com
header_checks = pcre:/etc/postfix/ignore_tb_msgid
inet_protocols = ipv4
lmtp_destination_recipient_limit = 1
local_destination_concurrency_limit = 1
local_destination_recipient_limit = 1
local_header_rewrite_clients = permit_sasl_authenticated
local_recipient_maps = hash:/etc/postfix/local_recipients $alias_maps
mail_owner = postfix
mailbox_transport = lmtp:[127.0.0.1]
masquerade_domains = $mydomain
maximal_queue_lifetime = 30d
message_size_limit = 20000000
milter_default_action = accept
milter_protocol = 2
mydestination = pcre:/etc/postfix/lan_domains
mydomain = richw.org
myhostname = whodunit.richw.org
myorigin = $myhostname
non_smtpd_milters = unix:/var/run/dkim-filter/dkim-filter.sock
queue_directory = /var/spool/postfix
relay_destination_recipient_limit = 1
relay_domains = sandals.richw.org
relayhost = [www.richw.org]
smtp_destination_concurrency_limit = 1
smtp_destination_recipient_limit = 1
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_delay_open_until_valid_rcpt = no
smtpd_discard_ehlo_keywords = etrn,silent-discard
smtpd_etrn_restrictions = reject
smtpd_helo_restrictions = reject_invalid_helo_hostname
smtpd_milters = unix:/var/run/dkim-filter/dkim-filter.sock
smtpd_restriction_classes = do_postgrey
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = smtpd
smtpd_tls_CAfile = /etc/postfix/whodunit.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/whodunit.pem
smtpd_tls_key_file = /etc/postfix/whodunit.pem
smtpd_tls_received_header = yes
smtpd_use_tls = yes
soft_bounce = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual_map
virtual_destination_recipient_limit = 1
sandals.richw.org relay:[sandals.richw.org]
ri...@richw.org richw+richw.org:PASSWORD1
j...@richw.org jen+richw.org:PASSWORD2
