On Tue, 8 Jun 2010, Phil Howard wrote:
On Tue, Jun 8, 2010 at 09:47, Larry Stone <lston...@stonejongleux.com> wrote:
On Tue, 8 Jun 2010, Phil Howard wrote:
On Fri, Jun 4, 2010 at 18:31, Sahil Tandon <sa...@freebsd.org> wrote:
On Fri, 04 Jun 2010, Dan Burkland wrote:
Relevant configuration entries:
-------main.cf--------
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination
^^^^^^^^^
-------master.cf-------
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_client_restrictions_permit_sasl_authenticated,reject
^^^^^^
You might have incorrectly assumed that if one restriction list
evaluates to OK, that the following restriction lists are skipped. This
is not the case. You OK the SASL authenticated client in
smtpd_client_restrictions, but then smtpd_recipient_restrictions are
still evluated based on the definition in main.cf. For a better
understanding, review SMTPD_ACCESS_README.
I'm assuming that:
-o smtpd_client_restrictions_permit_sasl_authenticated,reject
is intended to be:
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Phil, you're not getting what people are trying to tell you. Your entry in
master.cf for submission overrrides smtpd_CLIENT_restrictions. You are not
overriding smtpd_RECIPIENT_restrictions so the smtpd_recipient_restrictions
= permit_mynetworks, reject_unauth_destination
in main.cf is still applied. And that says if it's not mynetworks, reject.
SASL authentication is never looked at in that restriction.
Did you even look at what I posted? There is no config item called
"smtpd_client_restrictions_permit_sasl_authenticated".
And did you even read what I wrote? I am well aware you made a typo
earlier. I understand what you meant and said nothing about the mistake.
I wasn't
talking about smtpd_recipient_restrictions at all.
You might not be but I am and I'm pretty sure that's your problem (if I'm
remembering correctly what the original problem is. It is that remote
users connect to submission, SASL authenticate, but get rejected trying
to send to non-local destination, correct?).
That you did not specifiy smtpd_recipient_restrictions in master.cf does
not mean its value is blank. Rather, it takes the value from main.cf which
is permit_mynetworks, reject_unauth_destination
So let's see what happens when a remote user connects to submission, SASL
authenticates, tries to send to a destination off your server, and Postfix
gets to evaluating smtpd_recipient_restriction. First it checks
permit_mynetworks. They user is remote and not in mynetworks so it
evaluates to DUNNO. Then it checkes reject_unauth_destination. The
destination is not an authorized destination so REJECT. Get it, it
evaluates to REJECT! That you had permit_sasl_authenticated in
smtpd_client_restrictions is irrelevant because this is a different
restriction and they both need to evaluate to OK.
-- Larry Stone
lston...@stonejongleux.com
