Hi, I have a fedora14 box that I'm trying to configure for use with postfix with dovecot and TLS, permitting only TLS connections after authenticating with sasl. It appears to mostly be working now, but mail is rejected due to "not owned by user" errors.
Apr 2 01:03:53 fc14 postfix/smtpd[10284]: initializing the server-side TLS engine Apr 2 01:03:53 fc14 postfix/tlsmgr[10286]: open smtpd TLS cache btree:/var/lib/postfix/smtpd_tls_session_cache Apr 2 01:03:53 fc14 postfix/tlsmgr[10286]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup Apr 2 01:03:53 fc14 postfix/smtpd[10284]: connect from unknown[184.XXX.XX.223] Apr 2 01:03:53 fc14 postfix/smtpd[10284]: setting up TLS connection from unknown[184.XXX.XX.223] Apr 2 01:03:53 fc14 postfix/smtpd[10284]: unknown[184.XXX.XX.223]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH" ... Apr 2 01:03:54 fc14 postfix/smtpd[10284]: Anonymous TLS connection established from unknown[184.XXX.XX.223]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Apr 2 01:03:55 fc14 postfix/smtpd[10284]: NOQUEUE: reject: RCPT from unknown[184.XXX.XX.223]: 553 5.7.1 <myu...@myexample.com>: Sender address rejected: not owned by user alex; from=<myu...@myexample.com> to=<remotelu...@gmail.com> proto=ESMTP helo=<184-XXX-XXX-223.pools.mycellphone.net> Apr 2 01:03:55 fc14 postfix/smtpd[10284]: disconnect from unknown[184.XXX.XX.223] I have created a controlled_envelope_senders that specifies the users that are permitted to send mail using the envelope sender: myu...@myexample.com alex But it still rejects it. Perhaps I'm not specifying it correctly? I'd like to make sure this is also doing what I expect it is doing, and that is requiring the use of TLS for sending all mail. Here is the output of postconf -n: alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases biff = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 debug_peer_list = 127.0.0.1 delay_warning_time = 4h disable_vrfy_command = yes header_checks = pcre:/etc/postfix/header_checks.pcre mail_owner = postfix mailbox_command = /usr/bin/procmail mailbox_size_limit = 2000000000 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maximal_queue_lifetime = 5d message_size_limit = 10240000 mydestination = $myhostname, localhost.$mydomain, myexample.com myhostname = fc14.myexample.com mynetworks = 127.0.0.0/8, 192.168.1.0/24, 192.168.6.0/24 newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /etc/postfix/README_FILES relay_domains = $mydestination, $transport_maps relayhost = 64.1.16.3 sample_directory = /etc/postfix/samples sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_tls_CAfile = /etc/pki/tls/cacert.pem smtp_tls_loglevel = 2 smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, check_client_access hash:/etc/postfix/client_access, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders smtpd_sender_restrictions = reject_sender_login_mismatch smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_security_level = encrypt smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport Are there any other options I should be concerned about with regards to security, and ensuring I don't become a relay or risk of unauthorized access? Any help greatly appreciated. Thanks, Alex
