Le dimanche 06 mars 2011 à 13:58 +0100, Jeroen Geilman a écrit :
> On 03/06/2011 01:18 PM, David Touzeau wrote:
> > dear
> >
> > i would like to use submission port for authenticate users from internet
> > allowing them to the postfix smtpd server
> >
> > For testing purpose, i have set a network different from the LAN to be
> > sure that postfix allow SASL connections
> >
> > but it seems that postfix did not want to test the authentication method
> > and pass it's rules trough subnet rules to finally refuse the connection
> > with a "Client host rejected: Access denied"
> > We can see that there an request to saslauthd
> > "xsasl_cyrus_server_create: SASL service=smtp, realm=(null)" but i did
> > not really understand what is means..
> >
> >
> > I'm using saslauthd trough LDAP to perform credentials checking and
> > postfix 2.8.0
> >
> > Where i'm wrong ??
> >
> > When using testssaslauthd
> > ----------------------------------------------------------------------
> > testsaslauthd -u david.touzeau -p secret -f /var/run/saslauthd/mux -s
> > smtp
> > 0: OK "Success."
> >
> > Content of /etc/postfix/sasl/smtpd.conf
> > ----------------------------------------------------------------------
> > pwcheck_method: saslauthd
> > mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5
> > log_level: 5
> >
> > master.cf
> > ----------------------------------------------------------------------
> > smtp inet n - n - - smtpd
> > submission inet n - n - - smtpd
> > -o smtpd_etrn_restrictions=reject
> > -o smtpd_enforce_tls=yes
> > -o smtpd_sasl_auth_enable=yes
> > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> > -o smtp_generic_maps=
> > -o sender_canonical_maps=
> >
> > Here it is a piece of debug logs :
> > ----------------------------------------------------------------------
> >
>
> Debug logs should not be required to solve SASL issues.
>
> Please include the output of postconf -n and the normal postfix logs for
> the observed behaviour, as described in:
>
> http://www.postfix.org/DEBUG_README.html#mail
Thanks Jeroen
Here it is information requested
postconf -n
--------------------------------------
2bounce_notice_recipient = postmaster
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_poll_count = 3
address_verify_poll_delay = 3s
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_sender = $double_bounce_sender
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
biff = no
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
bounce_service_name = bounce
bounce_size_limit = 50000
bounce_template_file = /etc/postfix/bounce.template.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
connection_cache_status_update_time = 600s
connection_cache_ttl_limit = 2s
content_filter =
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 20
default_destination_recipient_limit = 50
default_process_limit = 100
delay_notice_recipient = david.touz...@touzeau.com
delay_warning_time = 1h
disable_dns_lookups = no
disable_mime_output_conversion = no
disable_vrfy_command = yes
double_bounce_sender = double-bounce
empty_address_recipient = david.touz...@touzeau.com
enable_original_recipient = yes
error_notice_recipient = david.touz...@touzeau.com
header_address_token_limit = 10240
header_checks =
html_directory = /usr/share/doc/packages/postfix-doc/html
ignore_mx_lookup_error = no
in_flow_delay = 1s
inet_interfaces = all
inet_protocols = ipv4
initial_destination_concurrency = 5
lmtp_sasl_auth_enable = no
local_destination_concurrency_limit = 2
local_recipient_maps =
luser_relay =
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_size_limit = 102400000
mailbox_transport =
lmtp:unix:/var/spool/postfix/var/run/cyrus/socket/lmtp
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_exceptions = root
master_service_disable =
maximal_backoff_time = 4000s
maximal_queue_lifetime = 5d
message_size_limit = 102400000
message_strip_characters = \0
milter_command_timeout = 180
milter_connect_macros = j _ {daemon_name} {if_name} {if_addr}
{client_name} {client_addr} {client_resolve} {client_ptr}
milter_connect_timeout = 180
milter_content_timeout = 600
milter_default_action = accept
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject}
{cert_issuer}
milter_mail_macros = i {auth_type} {auth_authen} {auth_ssf}
{auth_author} {mail_mailer} {mail_host} {mail_addr} {client_addr}
{if_addr}
milter_protocol = 6
milter_rcpt_macros = {rcpt_mailer} {rcpt_host} {rcpt_addr} {client_addr}
{if_addr}
mime_header_checks =
mime_nesting_limit = 100
minimal_backoff_time = 300s
multi_instance_directories =
multi_instance_enable = no
mydestination = hash:/etc/postfix/mydestination
mydomain = $myhostname
myhostname = bigfiles.localhost.localdomain
mynetworks = 192.168.1.0/24, 127.0.0.0/8
myorigin = touzeau.com
newaliases_path = /usr/bin/newaliases
qmgr_message_recipient_limit = 20000
qmgr_message_recipient_minimum = 10
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
receive_override_options =
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
recipient_canonical_maps =
relay_domains = hash:/etc/postfix/relay_domains
relay_recipient_maps =
relayhost = [127.0.0.1]:3045
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix-doc/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sender_dependent_relayhost_maps =
hash:/etc/postfix/sender_dependent_relayhost
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_bind_address6 =
smtp_connect_timeout = 30s
smtp_connection_cache_on_demand = yes
smtp_connection_cache_time_limit = 2s
smtp_connection_reuse_time_limit = 300s
smtp_destination_concurrency_limit =
$default_destination_concurrency_limit
smtp_enforce_tls = no
smtp_generic_maps = hash:/etc/postfix/smtp_generic_maps
smtp_helo_timeout = 300s
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_send_xforward_command = yes
smtp_sender_dependent_authentication = yes
smtp_tls_mandatory_protocols = SSLv3,TLSv1
smtp_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = no
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_message_rate_limit = 0
smtpd_client_new_tls_session_rate_limit = 0
smtpd_client_recipient_rate_limit = 0
smtpd_client_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_pipelining,permit_mynetworks,permit_sasl_authenticated,check_client_access
hash:/etc/postfix/postfix_allowed_connections,reject_unknown_client_hostname,reject_invalid_hostname,reject_unknown_reverse_client_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_rbl_client
zen.spamhaus.org,reject_rbl_client sbl.spamhaus.org,reject_rbl_client
cbl.abuseat.org,permit,check_client_access
hash:/etc/postfix/postfix_allowed_connections,reject_non_fqdn_hostname,reject_rbl_client=zen.spamhaus.org,reject_rbl_client=sbl.spamhaus.org,reject_rbl_client=cbl.abuseat.org
smtpd_delay_reject = no
smtpd_end_of_data_restrictions =
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,permit_sasl_authenticated,check_client_access
hash:/etc/postfix/postfix_allowed_connections,reject_non_fqdn_hostname,reject_invalid_hostname,permit
smtpd_milters =
unix:/var/spool/postfix/var/run/amavisd-milter/amavisd-milter.sock
smtpd_recipient_limit = 1000
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_sender_access
hash:/etc/postfix/disallow_my_domain
smtpd_reject_unlisted_recipient = yes
smtpd_restriction_classes =
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions =
reject_unknown_sender_domain,reject_non_fqdn_sender
smtpd_soft_error_limit = 10
smtpd_timeout = 300
smtpd_tls_CAfile = /etc/ssl/certs/postfix/ca.csr
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/postfix/ca.crt
smtpd_tls_key_file = /etc/ssl/certs/postfix/ca.key
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:
$queue_directory/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport.throttle,
hash:/etc/postfix/transport
undisclosed_recipients_header = To: undisclosed-recipients:;
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:5000
virtual_mailbox_domains =
virtual_mailbox_limit = 102400000
virtual_mailbox_maps =
virtual_transport = $mailbox_transport
virtual_uid_maps = static:5000
maillog
---------------------------------------------------------------------------------
Mar 6 15:14:48 bigfiles postfix/postfix-script[18674]: starting the
Postfix mail system
Mar 6 15:14:48 bigfiles postfix/master[18675]: daemon started --
version 2.8.0, configuration /etc/postfix
Mar 6 15:14:59 bigfiles postfix/tlsmgr[18712]: warning: request to
update table btree:/var/spool/postfix/smtpd_tls_cache in non-postfix
directory /var/spool/postfix
Mar 6 15:14:59 bigfiles postfix/tlsmgr[18712]: warning: redirecting the
request to postfix-owned data_directory /var/lib/postfix
Mar 6 15:14:59 bigfiles postfix/smtpd[18711]: connect from
unknown[192.168.1.211]
Mar 6 15:14:59 bigfiles postfix/smtpd[18711]: NOQUEUE: reject: CONNECT
from unknown[192.168.1.211]: 554 5.7.1 <unknown[192.168.1.211]>: Client
host rejected: Access denied; proto=SMTP
>
>
