Re: authenticated open relay postfix-mysql

Wed, 21 Aug 2013 05:50:32 -0700 

On 21.8.2013 14:09, /dev/rob0 wrote:

On Wed, Aug 21, 2013 at 01:08:15PM +0200, Lang Alex wrote:

-debian 7, postfix 2.9.6
-no local domain, no mailboxes (root also aliased out of machine)
-only open relay with authorized people, mysql db backend

"Open" and "authorized" (which really should be "authenticated" in
this context are contradictions in terms. "Open" means "anyone can
relay without authentication."
Open relay "that allows a third party to relay e-mail messages, i.e., sending and/or receiving e-mail that is not for or from a local user" 


-no long way:   postfix -dovecot sasl - pam - mysql conect
-only direct:   postfix - local mysql ( - view to remote dbs,thats
another story)

is it possible?

No. SASL AUTH requires SASL. Why is that a problem?
Thats no problem. Postfix authenticated against db backend, WITHOUT SASL AUTH.
"the only way postfix can authenticate senders is sasl / over sasl" IS answer, but I dont know right or wrong. 


or any auth login/passwd means sasl thus dovecot is a must?

Dovecot SASL (which I would recommend even if you disable Dovecot
IMAP/POP3) or Cyrus SASL is required. I think the SASL_README is
clear on this point.
Yes, I red SASL_README. Without sasl. MDA/LDA Dovecot consider primarily for imap/pop3/sieve.. server. It seems me as deliver the pizza with truck a bit. 


I googled for some time, have not found simple yes/no, nor some
no-sasl-howto

Google not, look directly in the Postfix documentation:
     http://www.postfix.org/SASL_README.html

There are other means to authenticate SMTP clients, both inband and
out-of-band. From home, I relay through my remote server by means of
OpenVPN tunnel; the VPN endpoint is listed in mynetworks. Note that
this approach loses the benefits of AUTH, such as knowing exactly
which user was responsible for which message.

TLS certificate authentication can be done:
     http://www.postfix.org/TLS_README.html#server_access
You'll also need to read most of the "SMTP Server specific settings"
section above this. In fact you might need a specific smtpd instance
(submission port, for example) to do the client certificate checking
and verification.
Regular postfix mail server, for everyone (authenticated) to anyone over his mx. Vith own public ip, third-level domain name, reverse etc.etc. 

Is it possible without sasl auth (=dovecot) or no?


Thanks,

Alex

Reply via email to