Re: Recipient and sender dependent relay hosts
On Fri, Jan 22, 2021 at 02:34:58AM -0500, François Hétu wrote: > I'm having some difficulty figuring out how to configure both recipient and > sender dependent relay hosts. > > 1. Some of my users need to send mail through specific relay hosts with > login:password; > 2. Other users on the same box will use the local SMTP server to relay > mail: the default transport if you will, without password; > 3. Finally, some outgoing mail has to be routed through other relay hosts > according to the recipient domain without consideration of the sender. > Those relays have login:password. > > Option 1 can be configured by using the sender_dependent_relayhost_maps > option and both a sender_relay and a sasl_passwd file. > > Option 2 is selected by Postfix if the specified sender is not found in the > sender_relay file mentioned above. > > Option 3 is made possible by using a transport_map file where the specific > recipient domain is listed, with a proper [some-relay.tld]:587 affixed. > > But where do I put the login:password of [some-relay.tld]:587? If I put it > in the sasl_passwd file, ALL mail not specified in the sender_relay file is > routed through [some-relay.tld]:587, and not the local SMTP relay. The sasl_passwd file has no effect on transport selection, so I am at a loss to understand how you reached that conclusion. smtp_sasl_password_maps (default: empty) Optional Postfix SMTP client lookup tables with one username:password entry per sender, remote hostname or next-hop domain. Per-sender lookup is done only when sender-dependent authentication is enabled. If no username:password entry is found, then the Postfix SMTP client will not attempt to authenticate to the remote host. The Postfix SMTP client opens the lookup table before going to chroot jail, so you can leave the password file in /etc/postfix. Specify zero or more "type:name" lookup tables, separated by whitespace or comma. Tables will be searched in the specified order until a match is found. This makes no mention of any such effect. Indeed the parameter is implemented in smtp(8) and not the queue manager, and so you can have different values of smtp_sasl_password_maps for different instances (transport) of the smtp(8) delivery agent. Similarly, smtp_sender_dependent_authentication is also a per-transport setting. The transport you use for the destination-specific relays should not enable sender dependent authentication, which should be enabled only for transports specified in the RHS values of sender_dependent_default_transport_maps (use that instead of sender-dependent relays), the "transport" variant lets you override both the transport name and the nexthop. -- Viktor.
Re: Ignoring a failing dictionary ?
On Thursday, January 21, 2021 11:01:44 PM CET John Stoffel wrote: Hello John, > So why not populate a new OU from your master production OU, and use > that for all lookups. The process would then be that when you delete > from the primary OU, it's starts a 7 day count down on the secondary > to finish the deletion. > [...] That would have been an idea too, thanks. > And then the cleanup as well. Keep it all in LDAP if you can. Well, it's finally been decided here to swicth to local hash maps instead to avoid potential mail delaying (see my previous answer). Thanks anyway for your suggestion :) Best regards, -- Ganael Laplanche Unix Systems Engineer @CentraleSupelec Rennes
Re: Recipient and sender dependent relay hosts
Hi, Thanks for your answer. I rechecked my configuration, and located a wrong config in sender_relay: the very same relay that was wrongly put in that file. After removing the relay, I could indeed configure the multi-relay configuration I needed, for both sender and recipient dependent relays. Thanks much for your help. François Le ven. 22 janv. 2021 à 03:19, Viktor Dukhovni a écrit : > On Fri, Jan 22, 2021 at 02:34:58AM -0500, François Hétu wrote: > > > I'm having some difficulty figuring out how to configure both recipient > and > > sender dependent relay hosts. > > > > 1. Some of my users need to send mail through specific relay hosts with > > login:password; > > 2. Other users on the same box will use the local SMTP server to relay > > mail: the default transport if you will, without password; > > 3. Finally, some outgoing mail has to be routed through other relay hosts > > according to the recipient domain without consideration of the sender. > > Those relays have login:password. > > > > Option 1 can be configured by using the sender_dependent_relayhost_maps > > option and both a sender_relay and a sasl_passwd file. > > > > Option 2 is selected by Postfix if the specified sender is not found in > the > > sender_relay file mentioned above. > > > > Option 3 is made possible by using a transport_map file where the > specific > > recipient domain is listed, with a proper [some-relay.tld]:587 affixed. > > > > But where do I put the login:password of [some-relay.tld]:587? If I put > it > > in the sasl_passwd file, ALL mail not specified in the sender_relay file > is > > routed through [some-relay.tld]:587, and not the local SMTP relay. > > The sasl_passwd file has no effect on transport selection, so I am at a > loss to understand how you reached that conclusion. > > smtp_sasl_password_maps (default: empty) >Optional Postfix SMTP client lookup tables with one > username:password >entry per sender, remote hostname or next-hop domain. Per-sender > lookup >is done only when sender-dependent authentication is enabled. If no >username:password entry is found, then the Postfix SMTP client will > not >attempt to authenticate to the remote host. > >The Postfix SMTP client opens the lookup table before going to > chroot >jail, so you can leave the password file in /etc/postfix. > >Specify zero or more "type:name" lookup tables, separated by > whitespace >or comma. Tables will be searched in the specified order until a > match >is found. > > This makes no mention of any such effect. Indeed the parameter is > implemented in smtp(8) and not the queue manager, and so you can have > different values of smtp_sasl_password_maps for different instances > (transport) of the smtp(8) delivery agent. > > Similarly, smtp_sender_dependent_authentication is also a per-transport > setting. The transport you use for the destination-specific relays > should not enable sender dependent authentication, which should be > enabled only for transports specified in the RHS values of > sender_dependent_default_transport_maps (use that instead of > sender-dependent relays), the "transport" variant lets you override > both the transport name and the nexthop. > > -- > Viktor. >
