On Sat, Jan 22, 2022 at 02:03:29PM -0500, Joe Acquisto-j4 wrote:
> > IIRC Wietse already suggested a work-around, by making the
> > sender-dependent authentication settings be transport-specific.
> >
> > In particular the internal nexthop that does not do SASL should be
> > handled by a transport in which sender-dependent authentication is
> > disabled.
>
> I do desire outgoing email, with the "next hop" being my ISP, to have
> sender dependent authentication. Incoming email, once processed by
> Postfix, SA, ClamAV, is sent to "the last hop" which does no
> authentication.
Sure, which means that the (smtp) transport used for that nexthop should
have sender dependent authentication enabled.
> I do get, I think, the point you illuminate in last your paragraph
> that in my case, a specific inbound transport must be defined for all
> incoming messages and this transport must not specify authentication.
By not enabling sender dependent authentication for the (smtp) transport
used to reach the internal mailstore.
> However, I get a bit fuzzy about any distinction between "sender
> dependent authentication" and "no authentication". Presumably that
> will require some what different configuration than Wietse described?
Postfix attempts to use SASL authentication when:
* smtp_sasl_enable=yes
* and either
- smtp_sender_dependent_authentication = yes and
smtp_sasl_password_maps contains a match for the sender, OR
- smtp_sasl_password_maps contains a match for the nexthop or
just the underlying hostname extracted from the nexthop
[host]:port or the like.
Therefore your master.cf file needs to have an least one additional
smtp-based transport, with either SASL disabled entirely, and/or
sender-dependent authentication disabled, or perhaps a variant
password table... Below all three are set to "discourage" use
of SASL:
noauth unix - - n - - smtp
-o smtp_sasl_enable=no
-o smtp_sender_dependent_authentication=no
-o smtp_sasl_password_maps=
With this, just make sure that deliveries to the internal mailstore
use the "noauth" transport:
internal.example noauth:[gateway.example]
> In any event I am nagged however by what causes Postfix to attempt
> authentication,
> for this oddball email when others sent to the same user do not, with the
> same
> configuration.
See above. You enabled authentication by enabling sender-dependent
authentication and configuring a table with passwords specified for
the sender addresses in question.
--
Viktor.
