Re: relayhost with remote smtp auth

Sun, 15 May 2011 06:11:55 -0700 

On 05/15/2011 02:45 PM, ITSec_Mike wrote:

Hi all

I want to get the following scenario:

(1)
A Client connects to a postfix server.
I know the sender email addresses which are allowed to connect to S1.
The authentication on S1 should be delegated to SMTP AUTH on S2.
How can this be achieved on S1?
This is not supported, as explained in http://www.postfix.org/SASL_README.html#server_dovecot_comm 

    Postfix to Dovecot SASL communication
Communication between the Postfix SMTP server and Dovecot SASL happens via a UNIX-domain socket. 

And in http://www.postfix.org/SASL_README.html#server_cyrus_comm

    Postfix to Cyrus SASL communication
As the Postfix SMTP server is linked with the Cyrus SASL library libsasl, communication between Postfix and Cyrus SASL takes place by calling functions in the SASL library.
You can store the authentication backend database (your userdb) on a different server, but the SASL provider must live on the same system as the postfix instance using it.
It may be possible to implement this functionalilty through the use of an smtp proxy service, or a policy service, but that would not be SMTP AUTH. It will also make postfix depend on (multiple) external services, increasing the points of failure for receiving mail. 


(2)
The postfix server processes the email through a content filter.


Various methods are available for content inspection and filtering.
Read http://www.postfix.org/CONTENT_INSPECTION_README.html for details.


(3)
The email will then be sent out through another smtp server.
The smtp server S2 is sender dependent, which can be achieved via 
smtp_dependent_relayhost_maps on S1.


You probably mean sender_dependent_relayhost_maps:

*sender_dependent_relayhost_maps (default: empty)
*

   A sender-dependent override for the global relayhost parameter
   setting. The tables are searched by the envelope sender address and
   @domain. A lookup result of DUNNO terminates the search without
   overriding the global relayhost parameter setting (Postfix 2.6 and
   later). This information is overruled with relay_transport,
   sender_dependent_default_transport_maps, default_transport and with
   the transport(5) table.




+--------+                +----------------+                +--------------+
| Client |----Internet----| Postfix Server |----Internet----| Another SMTP 
|----->
+--------+      (1)       |     (S1)       |      (3)       | Server (S2)  |
                           +----------------+                +--------------+
                              |  (2)   A
                              V        |
                           +----------------+
                           | content filter |
                           +----------------+


Can this be achieved with Postfix on S1 or do I need to take another SMTP Proxy 
like ASSP?



The remote SASL authentication of (1) is not supported.


--
J.

Reply via email to