Hi Viktor, thank you very much, you gave me the right hint!
In the past, when we had a dynamic ip, we used the gmail relays for sending mail from the local domains (those relays can be authorized to send for any domain or email address). I've commented these lines in the sender_dependent file later when we got a static ip, but in the sasl_passwd file the login credentials for the google relays were still present. So, when Postfix got AUTH from the peer, it tried to authenticate with the gmail credentials, which of course failed. Solved, thanks! Cheers, Robert Am Dienstag, den 05.05.2015, 23:22 +0000 schrieb Viktor Dukhovni: > On Tue, May 05, 2015 at 10:22:42PM +0200, Robert Senger wrote: > > > I am having trouble sending mail to a specific smtp host, which is > > configured for sasl authentication on port 25. > > This should have no impact on your machine, unless you also configure > smtp_sasl_password_maps non-empty, and configure a table entry that > matches the nexthop domain (the smtp host in question). > > > I have configured Postfix to send smtp mail from a small number of local > > domains to the recipient domain's mail exchanger, and to send mail from > > non local domains such as gmx.de and gmail.com via the appropriate > > relays using sender_dependent lists. All worked fine until today. > > If you do configure sender-dependent SASL authentication, then you > MUST either ensure that all outbound mail from the sender in question > goes through the expected relay (for which the sender has credentials), > via sender_dependent_relayhost_maps, or via a different transport > via sender_dependent_default_transport_maps, so that you never > connect to some other relay expecting to authenticate because you've > configured a sender-specific SASL password. > > > The peer that causes trouble is using sasl authentication on port 25, to > > allow authenticated users sending mail via smtp instead of submission. > > The trouble is not the peer. It is your server's misconfiguration. > Postfix happily ignores remote "AUTH" by default, unless you've > configured a password for the destination or the sender. > > > So, my own Postfix tries to authenticate to this server, but of course > > fails as it does not have any credentials. > > It does, for the sender. > > > I see that this seems to be caused by the smtp_sasl_auth_enable = yes > > flag set in main.cf, which I need because without this, Postfix will > > never try to authenticate to the sender_dependent relays, e.g. for > > gmail.com. > > No, that's not the reason. Even with that on, authentication only > happens to destinations (or for senders) for which you've set a > password. > > > I don't know what to do about this, is there a way to tell Postfix to > > only authenticate to those relays defined in sender_dependent, or only > > when connecting to the submission port? > > > > Or can this be a misconfiguration at the peer's side? > > Misconfiguration on your side. > -- Robert Senger <robert.sen...@microscopium.de> PGP/GPG Public Key ID: 24E78B5E
signature.asc
Description: This is a digitally signed message part
