On Fri, Jan 22, 2021 at 02:34:58AM -0500, François Hétu wrote:
> I'm having some difficulty figuring out how to configure both recipient and
> sender dependent relay hosts.
>
> 1. Some of my users need to send mail through specific relay hosts with
> login:password;
> 2. Other users on the same box will use the local SMTP server to relay
> mail: the default transport if you will, without password;
> 3. Finally, some outgoing mail has to be routed through other relay hosts
> according to the recipient domain without consideration of the sender.
> Those relays have login:password.
>
> Option 1 can be configured by using the sender_dependent_relayhost_maps
> option and both a sender_relay and a sasl_passwd file.
>
> Option 2 is selected by Postfix if the specified sender is not found in the
> sender_relay file mentioned above.
>
> Option 3 is made possible by using a transport_map file where the specific
> recipient domain is listed, with a proper [some-relay.tld]:587 affixed.
>
> But where do I put the login:password of [some-relay.tld]:587? If I put it
> in the sasl_passwd file, ALL mail not specified in the sender_relay file is
> routed through [some-relay.tld]:587, and not the local SMTP relay.
The sasl_passwd file has no effect on transport selection, so I am at a
loss to understand how you reached that conclusion.
smtp_sasl_password_maps (default: empty)
Optional Postfix SMTP client lookup tables with one username:password
entry per sender, remote hostname or next-hop domain. Per-sender lookup
is done only when sender-dependent authentication is enabled. If no
username:password entry is found, then the Postfix SMTP client will not
attempt to authenticate to the remote host.
The Postfix SMTP client opens the lookup table before going to chroot
jail, so you can leave the password file in /etc/postfix.
Specify zero or more "type:name" lookup tables, separated by whitespace
or comma. Tables will be searched in the specified order until a match
is found.
This makes no mention of any such effect. Indeed the parameter is
implemented in smtp(8) and not the queue manager, and so you can have
different values of smtp_sasl_password_maps for different instances
(transport) of the smtp(8) delivery agent.
Similarly, smtp_sender_dependent_authentication is also a per-transport
setting. The transport you use for the destination-specific relays
should not enable sender dependent authentication, which should be
enabled only for transports specified in the RHS values of
sender_dependent_default_transport_maps (use that instead of
sender-dependent relays), the "transport" variant lets you override
both the transport name and the nexthop.
--
Viktor.
