Sender address rejected: not logged in as owner
Thomas Otto
I have a problem with authentication and aliases on remote mail server
which sends the mail back to my server.
Postfix 2.0.13 works normal. Authentication with SASL works too. Sending =
to other domains and to lokal domains work, and reciving for=20
lokal/virtual domains works.
But when te...@exedio.com send a mail to bl...@domain2.com on another
mail server and this user has an alias configured to te...@exedio.com,
my mailserver will reject this mail. This ist whats in the logs.
Aug 4 09:15:28 mail postfix/smtpd[22803]: E48E9C6E: reject: RCPT from=3D=
www.hybrisdd.de[195.243.217.212]: 453 <te...@exedio.com>: Sender address =
rejected: not logged in as owner; from=3D<te...@exedio.com>=20
to=3D<te...@exedio.com> proto=3DESMTP helo=3D<mail.hybrisdd.de>
i know i have reject_unauth_destination, reject_sender_login_mismatch
and permit_sasl_authenticated in my main.cf and that this cause the=20
problem, but how do i work around this?
any help is appreciated
Here is my main.cf:
command_directory =3D /usr/sbin
daemon_directory =3D /usr/lib/postfix
program_directory =3D /usr/lib/postfix
setgid_group =3D postdrop
# appending .domain is the MUA's job.
append_dot_mydomain =3D no
smtpd_banner =3D $myhostname ESMTP $mail_name
biff =3D no
#content_filter =3D vscan:
soft_bounce =3D yes
# Uncomment the next line to generate delayed mail warnings
#delay_warning_time =3D 4h
local_recipient_maps=3D
myhostname =3D mail.exedio.com
relayhost =3D
mynetworks =3D 127.0.0.0/8, 10.20.10.22/32, 10.20.10.3/32, 10.20.10.23/32=
mailbox_command =3D procmail -a "$EXTENSION"
mailbox_size_limit =3D 0
recipient_delimiter =3D +
myorigin =3D /etc/mailname
#smtp_use_tls =3D yes
#smtpd_use_tls =3D yes
smtpd_sasl_auth_enable =3D yes
smtpd_recipient_restrictions =3D permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client relays.ordb.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client dun.dnsrbl.net,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client list.dsbl.org,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client cbl.abuseat.org,
permit
smtpd_sasl_security_options =3D noanonymous
smtpd_sasl_local_domain =3D $myhostname
smtpd_sender_login_maps =3D ldap:ldapvirtualmaps
#mydestination =3D mail.exedio.com, localhost, localhost.$mydomain,=20
ldap:acceptdomains
mydestination =3D localhost, localhost.$mydomain
virtual_alias_maps=3D ldap:ldapaliases, ldap:ldapvirtualmaps
virtual_maps=3D ldap:ldapvirtualmbox
virtual_mailbox_domains=3D ldap:acceptdomains
local_transport =3D virtual
virtual_mailbox_base =3D /
virtual_mailbox_maps =3D ldap:ldapvirtualmbox
virtual_uid_maps =3D static:1500
virtual_gid_maps =3D static:1500
virtual_minimum_uid =3D 500
virtual_mailbox_limit =3D 0
ldapvirtualmbox_server_host =3D admin1.exedio.com
ldapvirtualmbox_server_port =3D 389
ldapvirtualmbox_bind =3D yes
ldapvirtualmbox_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
ldapvirtualmbox_bind_pw =3D XXX
ldapvirtualmbox_search_base =3D ou=3DDresden,ou=3DPeople,dc=3Dexedio,dc=3D=
com
ldapvirtualmbox_query_filter =3D (&(|(mail=3D%s)(mailAlternateAddress=3D%=
s)))
ldapvirtualmbox_result_attribute =3D mailMessageStore
ldapvirtualmaps_server_host =3D admin1.exedio.com
ldapvirtualmaps_server_port =3D 389
ldapvirtualmaps_bind =3D yes
ldapvirtualmaps_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
ldapvirtualmaps_bind_pw =3D XXX
ldapvirtualmaps_search_base =3D ou=3DDresden,ou=3DPeople,dc=3Dexedio,dc=3D=
com
ldapvirtualmaps_query_filter =3D (&(|(mail=3D%s)(mailAlternateAddress=3D%=
s)))
ldapvirtualmaps_result_attribute =3D mail
acceptdomains_server_host =3D admin1.exedio.com
acceptdomains_server_port =3D 389
acceptdomains_bind =3D yes
acceptdomains_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
acceptdomains_bind_pw =3D XXX
acceptdomains_search_base =3D ou=3DDomains,ou=3DPostfix,dc=3Dexedio,dc=3D=
com
acceptdomains_query_filter =3D (associatedDomain=3D%s)
acceptdomains_result_attribute =3D associatedDomain
ldapaliases_server_host =3D admin1.exedio.com
ldapaliases_server_port =3D 389
ldapaliases_bind =3D yes
ldapaliases_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
ldapaliases_bind_pw =3D XXX
ldapaliases_search_base =3D ou=3DAliases,ou=3DPostfix,dc=3Dexedio,dc=3Dco=
m
ldapaliases_query_filter =3D (mail=3D%s)
ldapaliases_result_attribute =3D maildrop
Thomas Otto
--=20
hybris GmbH | Dipl. Wirtsch.-Inf.
F=F6rstereistr. 19 | Thomas Otto
D-01099 Dresden | IT-Administration
|
t +49(0)351 4108-100 |
f +49(0)351 4108-199 | thoma...@hybris.de
m +49(0)177 4209 762 | www.hybris.de
Thomas Otto
cu tommi
Thomas Otto wrote:
> Hi List!
>=20
> I have a problem with authentication and aliases on remote mail server
> which sends the mail back to my server.
> Postfix 2.0.13 works normal. Authentication with SASL works too. Sendin=
g=20
> to other domains and to lokal domains work, and reciving for=20
> lokal/virtual domains works.
> But when te...@exedio.com send a mail to bl...@domain2.com on another
> mail server and this user has an alias configured to te...@exedio.com,
> my mailserver will reject this mail. This ist whats in the logs.
>=20
> Aug 4 09:15:28 mail postfix/smtpd[22803]: E48E9C6E: reject: RCPT from=3D=
> www.hybrisdd.de[195.243.217.212]: 453 <te...@exedio.com>: Sender addres=
s=20
> rejected: not logged in as owner; from=3D<te...@exedio.com>=20
> to=3D<te...@exedio.com> proto=3DESMTP helo=3D<mail.hybrisdd.de>
>=20
> i know i have reject_unauth_destination, reject_sender_login_mismatch
> and permit_sasl_authenticated in my main.cf and that this cause the=20
> problem, but how do i work around this?
>=20
> any help is appreciated
>=20
> Here is my main.cf:
>=20
> command_directory =3D /usr/sbin
> daemon_directory =3D /usr/lib/postfix
> program_directory =3D /usr/lib/postfix
> setgid_group =3D postdrop
> # appending .domain is the MUA's job.
> append_dot_mydomain =3D no
> smtpd_banner =3D $myhostname ESMTP $mail_name
> biff =3D no
> #content_filter =3D vscan:
> soft_bounce =3D yes
> # Uncomment the next line to generate delayed mail warnings
> #delay_warning_time =3D 4h
> local_recipient_maps=3D
> myhostname =3D mail.exedio.com
> relayhost =3D
> mynetworks =3D 127.0.0.0/8, 10.20.10.22/32, 10.20.10.3/32, 10.20.10.23/=
32
> mailbox_command =3D procmail -a "$EXTENSION"
> mailbox_size_limit =3D 0
> recipient_delimiter =3D +
> myorigin =3D /etc/mailname
>=20
> #smtp_use_tls =3D yes
> #smtpd_use_tls =3D yes
> smtpd_sasl_auth_enable =3D yes
> smtpd_recipient_restrictions =3D permit_mynetworks,
> reject_sender_login_mismatch,
> permit_sasl_authenticated,
> reject_unauth_destination,
> reject_rbl_client relays.ordb.org,
> reject_rbl_client sbl.spamhaus.org,
> reject_rbl_client opm.blitzed.org,
> reject_rbl_client dun.dnsrbl.net,
> reject_rbl_client zombie.dnsbl.sorbs.net,
> reject_rbl_client list.dsbl.org,
> reject_rbl_client blackholes.easynet.nl,
> reject_rbl_client cbl.abuseat.org,
> permit
>=20
> smtpd_sasl_security_options =3D noanonymous
> smtpd_sasl_local_domain =3D $myhostname
> smtpd_sender_login_maps =3D ldap:ldapvirtualmaps
> #mydestination =3D mail.exedio.com, localhost, localhost.$mydomain,=20
> ldap:acceptdomains
> mydestination =3D localhost, localhost.$mydomain
>=20
> virtual_alias_maps=3D ldap:ldapaliases, ldap:ldapvirtualmaps
> virtual_maps=3D ldap:ldapvirtualmbox
> virtual_mailbox_domains=3D ldap:acceptdomains
> local_transport =3D virtual
>=20
> virtual_mailbox_base =3D /
> virtual_mailbox_maps =3D ldap:ldapvirtualmbox
> virtual_uid_maps =3D static:1500
> virtual_gid_maps =3D static:1500
> virtual_minimum_uid =3D 500
> virtual_mailbox_limit =3D 0
>=20
> ldapvirtualmbox_server_host =3D admin1.exedio.com
> ldapvirtualmbox_server_port =3D 389
> ldapvirtualmbox_bind =3D yes
> ldapvirtualmbox_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
> ldapvirtualmbox_bind_pw =3D XXX
> ldapvirtualmbox_search_base =3D ou=3DDresden,ou=3DPeople,dc=3Dexedio,dc=
=3Dcom
> ldapvirtualmbox_query_filter =3D (&(|(mail=3D%s)(mailAlternateAddress=3D=
%s)))
> ldapvirtualmbox_result_attribute =3D mailMessageStore
>=20
> ldapvirtualmaps_server_host =3D admin1.exedio.com
> ldapvirtualmaps_server_port =3D 389
> ldapvirtualmaps_bind =3D yes
> ldapvirtualmaps_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
> ldapvirtualmaps_bind_pw =3D XXX
> ldapvirtualmaps_search_base =3D ou=3DDresden,ou=3DPeople,dc=3Dexedio,dc=
=3Dcom
> ldapvirtualmaps_query_filter =3D (&(|(mail=3D%s)(mailAlternateAddress=3D=
%s)))
> ldapvirtualmaps_result_attribute =3D mail
>=20
> acceptdomains_server_host =3D admin1.exedio.com
> acceptdomains_server_port =3D 389
> acceptdomains_bind =3D yes
> acceptdomains_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
> acceptdomains_bind_pw =3D XXX
> acceptdomains_search_base =3D ou=3DDomains,ou=3DPostfix,dc=3Dexedio,dc=3D=
com
> acceptdomains_query_filter =3D (associatedDomain=3D%s)
> acceptdomains_result_attribute =3D associatedDomain
>=20
> ldapaliases_server_host =3D admin1.exedio.com
> ldapaliases_server_port =3D 389
> ldapaliases_bind =3D yes
> ldapaliases_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
> ldapaliases_bind_pw =3D XXX
> ldapaliases_search_base =3D ou=3DAliases,ou=3DPostfix,dc=3Dexedio,dc=3D=
com
> ldapaliases_query_filter =3D (mail=3D%s)
> ldapaliases_result_attribute =3D maildrop
>=20
>=20
Wietse Venema
It Postfix behaves contrary to this description, then please point
out the problem.
Wietse
Thomas Otto:
> are there really no hints to solve this problem?
>
> cu tommi
>
> Thomas Otto wrote:
> > Hi List!
> >
> > I have a problem with authentication and aliases on remote mail server
> > which sends the mail back to my server.
> > Postfix 2.0.13 works normal. Authentication with SASL works too. Sending
> > to other domains and to lokal domains work, and reciving for
> > lokal/virtual domains works.
> > But when te...@exedio.com send a mail to bl...@domain2.com on another
> > mail server and this user has an alias configured to te...@exedio.com,
> > my mailserver will reject this mail. This ist whats in the logs.
> >
> > Aug 4 09:15:28 mail postfix/smtpd[22803]: E48E9C6E: reject: RCPT from=
> > www.hybrisdd.de[195.243.217.212]: 453 <te...@exedio.com>: Sender address
> > rejected: not logged in as owner; from=<te...@exedio.com>
> > to=<te...@exedio.com> proto=ESMTP helo=<mail.hybrisdd.de>
> >
> > i know i have reject_unauth_destination, reject_sender_login_mismatch
> > and permit_sasl_authenticated in my main.cf and that this cause the
> > problem, but how do i work around this?
> >
> > any help is appreciated
> >
> > Here is my main.cf:
> >
> > command_directory = /usr/sbin
> > daemon_directory = /usr/lib/postfix
> > program_directory = /usr/lib/postfix
> > setgid_group = postdrop
> > # appending .domain is the MUA's job.
> > append_dot_mydomain = no
> > smtpd_banner = $myhostname ESMTP $mail_name
> > biff = no
> > #content_filter = vscan:
> > soft_bounce = yes
> > # Uncomment the next line to generate delayed mail warnings
> > #delay_warning_time = 4h
> > local_recipient_maps=
> > myhostname = mail.exedio.com
> > relayhost =
> > mynetworks = 127.0.0.0/8, 10.20.10.22/32, 10.20.10.3/32, 10.20.10.23/32
> > mailbox_command = procmail -a "$EXTENSION"
> > mailbox_size_limit = 0
> > recipient_delimiter = +
> > myorigin = /etc/mailname
> >
> > #smtp_use_tls = yes
> > #smtpd_use_tls = yes
> > smtpd_sasl_auth_enable = yes
> > smtpd_recipient_restrictions = permit_mynetworks,
> > reject_sender_login_mismatch,
> > permit_sasl_authenticated,
> > reject_unauth_destination,
> > reject_rbl_client relays.ordb.org,
> > reject_rbl_client sbl.spamhaus.org,
> > reject_rbl_client opm.blitzed.org,
> > reject_rbl_client dun.dnsrbl.net,
> > reject_rbl_client zombie.dnsbl.sorbs.net,
> > reject_rbl_client list.dsbl.org,
> > reject_rbl_client blackholes.easynet.nl,
> > reject_rbl_client cbl.abuseat.org,
> > permit
> >
> > smtpd_sasl_security_options = noanonymous
> > smtpd_sasl_local_domain = $myhostname
> > smtpd_sender_login_maps = ldap:ldapvirtualmaps
> > #mydestination = mail.exedio.com, localhost, localhost.$mydomain,
> > ldap:acceptdomains
> > mydestination = localhost, localhost.$mydomain
> >
> > virtual_alias_maps= ldap:ldapaliases, ldap:ldapvirtualmaps
> > virtual_maps= ldap:ldapvirtualmbox
> > virtual_mailbox_domains= ldap:acceptdomains
> > local_transport = virtual
> >
> > virtual_mailbox_base = /
> > virtual_mailbox_maps = ldap:ldapvirtualmbox
> > virtual_uid_maps = static:1500
> > virtual_gid_maps = static:1500
> > virtual_minimum_uid = 500
> > virtual_mailbox_limit = 0
> >
> > ldapvirtualmbox_server_host = admin1.exedio.com
> > ldapvirtualmbox_server_port = 389
> > ldapvirtualmbox_bind = yes
> > ldapvirtualmbox_bind_dn = cn=admin,dc=exedio,dc=com
> > ldapvirtualmbox_bind_pw = XXX
> > ldapvirtualmbox_search_base = ou=Dresden,ou=People,dc=exedio,dc=com
> > ldapvirtualmbox_query_filter = (&(|(mail=%s)(mailAlternateAddress=%s)))
> > ldapvirtualmbox_result_attribute = mailMessageStore
> >
> > ldapvirtualmaps_server_host = admin1.exedio.com
> > ldapvirtualmaps_server_port = 389
> > ldapvirtualmaps_bind = yes
> > ldapvirtualmaps_bind_dn = cn=admin,dc=exedio,dc=com
> > ldapvirtualmaps_bind_pw = XXX
> > ldapvirtualmaps_search_base = ou=Dresden,ou=People,dc=exedio,dc=com
> > ldapvirtualmaps_query_filter = (&(|(mail=%s)(mailAlternateAddress=%s)))
> > ldapvirtualmaps_result_attribute = mail
> >
> > acceptdomains_server_host = admin1.exedio.com
> > acceptdomains_server_port = 389
> > acceptdomains_bind = yes
> > acceptdomains_bind_dn = cn=admin,dc=exedio,dc=com
> > acceptdomains_bind_pw = XXX
> > acceptdomains_search_base = ou=Domains,ou=Postfix,dc=exedio,dc=com
> > acceptdomains_query_filter = (associatedDomain=%s)
> > acceptdomains_result_attribute = associatedDomain
> >
> > ldapaliases_server_host = admin1.exedio.com
> > ldapaliases_server_port = 389
> > ldapaliases_bind = yes
> > ldapaliases_bind_dn = cn=admin,dc=exedio,dc=com
> > ldapaliases_bind_pw = XXX
> > ldapaliases_search_base = ou=Aliases,ou=Postfix,dc=exedio,dc=com
> > ldapaliases_query_filter = (mail=%s)
> > ldapaliases_result_attribute = maildrop
> >
> >
> > Thomas Otto
>
> --
> hybris GmbH | Dipl. Wirtsch.-Inf.
> F_rstereistr. 19 | Thomas Otto
Wietse Venema
authentication.
Therefore you must turn off the smtpd_sender_login_maps feature.
Wietse
Wietse Venema:
Thomas Otto
normal sending via SASL Auth must work, and these loop-back mails too.=20
but these are not authenticated... thats the problem.
would SASL Auth work if i set smtpd_sender_login_maps =3D "" ?
cu tommi
Wietse Venema wrote:
> You want to receive mail FROM te...@exedio.com WITHOUT SASL
> authentication.=20
>=20
> Therefore you must turn off the smtpd_sender_login_maps feature.
>=20
> Wietse
>=20
> Wietse Venema:
>=20
>>The smtpd_sender_login_maps feature is described in sample-smtpd.cf.
>>It Postfix behaves contrary to this description, then please point
>>out the problem.
>>
>> Wietse
>>
>>Thomas Otto:
>>
>>>are there really no hints to solve this problem?
>>>
>>>cu tommi
>>>
>>>Thomas Otto wrote:
>>>
>>>>Hi List!
>>>>
>>>>I have a problem with authentication and aliases on remote mail serve=
r
>>>>which sends the mail back to my server.
>>>>Postfix 2.0.13 works normal. Authentication with SASL works too. Send=
ing=20
>>>>to other domains and to lokal domains work, and reciving for=20
>>>>lokal/virtual domains works.
>>>>But when te...@exedio.com send a mail to bl...@domain2.com on another
>>>>mail server and this user has an alias configured to te...@exedio.com=
,
>>>>my mailserver will reject this mail. This ist whats in the logs.
>>>>
>>>>Aug 4 09:15:28 mail postfix/smtpd[22803]: E48E9C6E: reject: RCPT fro=
m=3D
>>>>www.hybrisdd.de[195.243.217.212]: 453 <te...@exedio.com>: Sender addr=
ess=20
>>>>rejected: not logged in as owner; from=3D<te...@exedio.com>=20
>>>>to=3D<te...@exedio.com> proto=3DESMTP helo=3D<mail.hybrisdd.de>
>>>>
>>>>i know i have reject_unauth_destination, reject_sender_login_mismatch=
>>>>and permit_sasl_authenticated in my main.cf and that this cause the=20
>>>>problem, but how do i work around this?
>>>>
>>>>any help is appreciated
>>>>
>>>>Here is my main.cf:
>>>>
>>>>command_directory =3D /usr/sbin
>>>>daemon_directory =3D /usr/lib/postfix
>>>>program_directory =3D /usr/lib/postfix
>>>>setgid_group =3D postdrop
>>>># appending .domain is the MUA's job.
>>>>append_dot_mydomain =3D no
>>>>smtpd_banner =3D $myhostname ESMTP $mail_name
>>>>biff =3D no
>>>>#content_filter =3D vscan:
>>>>soft_bounce =3D yes
>>>># Uncomment the next line to generate delayed mail warnings
>>>>#delay_warning_time =3D 4h
>>>>local_recipient_maps=3D
>>>>myhostname =3D mail.exedio.com
>>>>relayhost =3D
>>>>mynetworks =3D 127.0.0.0/8, 10.20.10.22/32, 10.20.10.3/32, 10.20.10.2=
3/32
>>>>mailbox_command =3D procmail -a "$EXTENSION"
>>>>mailbox_size_limit =3D 0
>>>>recipient_delimiter =3D +
>>>>myorigin =3D /etc/mailname
>>>>
>>>>#smtp_use_tls =3D yes
>>>>#smtpd_use_tls =3D yes
>>>>smtpd_sasl_auth_enable =3D yes
>>>>smtpd_recipient_restrictions =3D permit_mynetworks,
>>>> reject_sender_login_mismatch,
>>>> permit_sasl_authenticated,
>>>> reject_unauth_destination,
>>>> reject_rbl_client relays.ordb.org,
>>>> reject_rbl_client sbl.spamhaus.org,
>>>> reject_rbl_client opm.blitzed.org,
>>>> reject_rbl_client dun.dnsrbl.net,
>>>> reject_rbl_client zombie.dnsbl.sorbs.net,
>>>> reject_rbl_client list.dsbl.org,
>>>> reject_rbl_client blackholes.easynet.nl,
>>>> reject_rbl_client cbl.abuseat.org,
>>>> permit
>>>>
>>>>smtpd_sasl_security_options =3D noanonymous
>>>>smtpd_sasl_local_domain =3D $myhostname
>>>>smtpd_sender_login_maps =3D ldap:ldapvirtualmaps
>>>>#mydestination =3D mail.exedio.com, localhost, localhost.$mydomain,=20
>>>>ldap:acceptdomains
>>>>mydestination =3D localhost, localhost.$mydomain
>>>>
>>>>virtual_alias_maps=3D ldap:ldapaliases, ldap:ldapvirtualmaps
>>>>virtual_maps=3D ldap:ldapvirtualmbox
>>>>virtual_mailbox_domains=3D ldap:acceptdomains
>>>>local_transport =3D virtual
>>>>
>>>>virtual_mailbox_base =3D /
>>>>virtual_mailbox_maps =3D ldap:ldapvirtualmbox
>>>>virtual_uid_maps =3D static:1500
>>>>virtual_gid_maps =3D static:1500
>>>>virtual_minimum_uid =3D 500
>>>>virtual_mailbox_limit =3D 0
>>>>
>>>>ldapvirtualmbox_server_host =3D admin1.exedio.com
>>>>ldapvirtualmbox_server_port =3D 389
>>>>ldapvirtualmbox_bind =3D yes
>>>>ldapvirtualmbox_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
>>>>ldapvirtualmbox_bind_pw =3D XXX
>>>>ldapvirtualmbox_search_base =3D ou=3DDresden,ou=3DPeople,dc=3Dexedio,=
dc=3Dcom
>>>>ldapvirtualmbox_query_filter =3D (&(|(mail=3D%s)(mailAlternateAddress=
=3D%s)))
>>>>ldapvirtualmbox_result_attribute =3D mailMessageStore
>>>>
>>>>ldapvirtualmaps_server_host =3D admin1.exedio.com
>>>>ldapvirtualmaps_server_port =3D 389
>>>>ldapvirtualmaps_bind =3D yes
>>>>ldapvirtualmaps_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
>>>>ldapvirtualmaps_bind_pw =3D XXX
>>>>ldapvirtualmaps_search_base =3D ou=3DDresden,ou=3DPeople,dc=3Dexedio,=
dc=3Dcom
>>>>ldapvirtualmaps_query_filter =3D (&(|(mail=3D%s)(mailAlternateAddress=
=3D%s)))
>>>>ldapvirtualmaps_result_attribute =3D mail
>>>>
>>>>acceptdomains_server_host =3D admin1.exedio.com
>>>>acceptdomains_server_port =3D 389
>>>>acceptdomains_bind =3D yes
>>>>acceptdomains_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
>>>>acceptdomains_bind_pw =3D XXX
>>>>acceptdomains_search_base =3D ou=3DDomains,ou=3DPostfix,dc=3Dexedio,d=
c=3Dcom
>>>>acceptdomains_query_filter =3D (associatedDomain=3D%s)
>>>>acceptdomains_result_attribute =3D associatedDomain
>>>>
>>>>ldapaliases_server_host =3D admin1.exedio.com
>>>>ldapaliases_server_port =3D 389
>>>>ldapaliases_bind =3D yes
>>>>ldapaliases_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
>>>>ldapaliases_bind_pw =3D XXX
>>>>ldapaliases_search_base =3D ou=3DAliases,ou=3DPostfix,dc=3Dexedio,dc=3D=
com
>>>>ldapaliases_query_filter =3D (mail=3D%s)
>>>>ldapaliases_result_attribute =3D maildrop
>>>>
>>>>
>>>>Thomas Otto
>>>
>>>--=20
>>>hybris GmbH | Dipl. Wirtsch.-Inf.
>>>F_rstereistr. 19 | Thomas Otto
>>>D-01099 Dresden | IT-Administration
>>> |
>>>t +49(0)351 4108-100 |
>>>f +49(0)351 4108-199 | thoma...@hybris.de
>>>m +49(0)177 4209 762 | www.hybris.de
>>>
>>>
>>>
>>
>>
>>
>=20
--=20
hybris GmbH | Dipl. Wirtsch.-Inf.
F=F6rstereistr. 19 | Thomas Otto
Thomas Otto
any hints to solve my problem?
any help apreciated
cu tommi
Thomas Otto wrote:
> yes i know this. thats exactly my problem...
> normal sending via SASL Auth must work, and these loop-back mails too. =
> but these are not authenticated... thats the problem.
> would SASL Auth work if i set smtpd_sender_login_maps =3D "" ?
>=20
> cu tommi
>=20
>=20
> Wietse Venema wrote:
>=20
>> You want to receive mail FROM te...@exedio.com WITHOUT SASL
>> authentication.
the point is that the destination is te...@exedio.com
>> Therefore you must turn off the smtpd_sender_login_maps feature.
>>
>> Wietse
>>
>> Wietse Venema:
>>
>>> The smtpd_sender_login_maps feature is described in sample-smtpd.cf.
>>> It Postfix behaves contrary to this description, then please point
>>> out the problem.
>>>
>>> Wietse
>>>
>>> Thomas Otto:
>>>
>>>> are there really no hints to solve this problem?
>>>>
>>>> cu tommi
>>>>
>>>> Thomas Otto wrote:
>>>>
>>>>> Hi List!
>>>>>
>>>>> I have a problem with authentication and aliases on remote mail ser=
ver
>>>>> which sends the mail back to my server.
>>>>> Postfix 2.0.13 works normal. Authentication with SASL works too.=20
>>>>> Sending to other domains and to lokal domains work, and reciving=20
>>>>> for lokal/virtual domains works.
>>>>> But when te...@exedio.com send a mail to bl...@domain2.com on anothe=
r
>>>>> mail server and this user has an alias configured to test2@exedio.c=
om,
>>>>> my mailserver will reject this mail. This ist whats in the logs.
>>>>>
>>>>> Aug 4 09:15:28 mail postfix/smtpd[22803]: E48E9C6E: reject: RCPT=20
>>>>> from=3D
>>>>> www.hybrisdd.de[195.243.217.212]: 453 <te...@exedio.com>: Sender=20
>>>>> address rejected: not logged in as owner; from=3D<te...@exedio.com>=
=20
>>>>> to=3D<te...@exedio.com> proto=3DESMTP helo=3D<mail.hybrisdd.de>
>>>>>
>>>>> i know i have reject_unauth_destination, reject_sender_login_mismat=
ch
>>>>> and permit_sasl_authenticated in my main.cf and that this cause the=
=20
>>>>> problem, but how do i work around this?
>>>>>
>>>>> any help is appreciated
>>>>>
>>>>> Here is my main.cf:
>>>>>
>>>>> command_directory =3D /usr/sbin
>>>>> daemon_directory =3D /usr/lib/postfix
>>>>> program_directory =3D /usr/lib/postfix
>>>>> setgid_group =3D postdrop
>>>>> # appending .domain is the MUA's job.
>>>>> append_dot_mydomain =3D no
>>>>> smtpd_banner =3D $myhostname ESMTP $mail_name
>>>>> biff =3D no
>>>>> #content_filter =3D vscan:
>>>>> soft_bounce =3D yes
>>>>> # Uncomment the next line to generate delayed mail warnings
>>>>> #delay_warning_time =3D 4h
>>>>> local_recipient_maps=3D
>>>>> myhostname =3D mail.exedio.com
>>>>> relayhost =3D
>>>>> mynetworks =3D 127.0.0.0/8, 10.20.10.22/32, 10.20.10.3/32,=20
>>>>> 10.20.10.23/32
>>>>> ldapvirtualmbox_search_base =3D ou=3DDresden,ou=3DPeople,dc=3Dexedi=
o,dc=3Dcom
>>>>> ldapvirtualmbox_query_filter =3D=20
>>>>> (&(|(mail=3D%s)(mailAlternateAddress=3D%s)))
>>>>> ldapvirtualmbox_result_attribute =3D mailMessageStore
>>>>>
>>>>> ldapvirtualmaps_server_host =3D admin1.exedio.com
>>>>> ldapvirtualmaps_server_port =3D 389
>>>>> ldapvirtualmaps_bind =3D yes
>>>>> ldapvirtualmaps_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
>>>>> ldapvirtualmaps_bind_pw =3D XXX
>>>>> ldapvirtualmaps_search_base =3D ou=3DDresden,ou=3DPeople,dc=3Dexedi=
o,dc=3Dcom
>>>>> ldapvirtualmaps_query_filter =3D=20
>>>>> (&(|(mail=3D%s)(mailAlternateAddress=3D%s)))
>>>>> ldapvirtualmaps_result_attribute =3D mail
>>>>>
>>>>> acceptdomains_server_host =3D admin1.exedio.com
>>>>> acceptdomains_server_port =3D 389
>>>>> acceptdomains_bind =3D yes
>>>>> acceptdomains_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
>>>>> acceptdomains_bind_pw =3D XXX
>>>>> acceptdomains_search_base =3D ou=3DDomains,ou=3DPostfix,dc=3Dexedio=
,dc=3Dcom
>>>>> acceptdomains_query_filter =3D (associatedDomain=3D%s)
>>>>> acceptdomains_result_attribute =3D associatedDomain
>>>>>
>>>>> ldapaliases_server_host =3D admin1.exedio.com
>>>>> ldapaliases_server_port =3D 389
>>>>> ldapaliases_bind =3D yes
>>>>> ldapaliases_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
>>>>> ldapaliases_bind_pw =3D XXX
>>>>> ldapaliases_search_base =3D ou=3DAliases,ou=3DPostfix,dc=3Dexedio,d=
c=3Dcom
Wietse Venema
www.hybrisdd.de[195.243.217.212]: 453 <te...@exedio.com>: Sender
address rejected: not logged in as owner; from=<te...@exedio.com>
to=<te...@exedio.com> proto=ESMTP helo=<mail.hybrisdd.de>
does NOT depend on the RECIPIENT. It depends on the SENDER.
The mail is rejected because mail.hybrisdd.de is not SASL authenticated
as the user who owns the te...@exedio.com sender address.
If you must be able to receive the above mail, do one of the
following:
1) whitelist www.hybrisdd.de before the reject_sender_login_mismatch
restriction, perhaps by adding it to mynetworks in main.cf.
2) remove the user from smtpd_sender_login_maps,
3) disable smtpd_sender_login_maps altogether.
Wietse
Thomas Otto:
> disabling smtpd_sender_login_maps breaks SASL Authentication.
> any hints to solve my problem?
>
> any help apreciated
>
> cu tommi
>
> Thomas Otto wrote:
> > yes i know this. thats exactly my problem...
> > normal sending via SASL Auth must work, and these loop-back mails too.
> > but these are not authenticated... thats the problem.
> > would SASL Auth work if i set smtpd_sender_login_maps = "" ?
> >
> > cu tommi
> >
> >
> > Wietse Venema wrote:
> >
> >> You want to receive mail FROM te...@exedio.com WITHOUT SASL
> >> authentication.
>
> the point is that the destination is te...@exedio.com
>
> >> Therefore you must turn off the smtpd_sender_login_maps feature.
> >>
> >> Wietse
> >>
> >> Wietse Venema:
> >>
> >>> The smtpd_sender_login_maps feature is described in sample-smtpd.cf.
> >>> It Postfix behaves contrary to this description, then please point
> >>> out the problem.
> >>>
> >>> Wietse
> >>>
> >>> Thomas Otto:
> >>>
> >>>> are there really no hints to solve this problem?
> >>>>
> >>>> cu tommi
> >>>>
> >>>> Thomas Otto wrote:
> >>>>
> >>>>> Hi List!
> >>>>>
> >>>>> I have a problem with authentication and aliases on remote mail server
> >>>>> which sends the mail back to my server.
> >>>>> Postfix 2.0.13 works normal. Authentication with SASL works too.
> >>>>> Sending to other domains and to lokal domains work, and reciving
> >>>>> for lokal/virtual domains works.
> >>>>> But when te...@exedio.com send a mail to bl...@domain2.com on another
> >>>>> mail server and this user has an alias configured to te...@exedio.com,
> >>>>> my mailserver will reject this mail. This ist whats in the logs.
> >>>>>
> >>>>> Aug 4 09:15:28 mail postfix/smtpd[22803]: E48E9C6E: reject: RCPT
> >>>>> from=
> >>>>> www.hybrisdd.de[195.243.217.212]: 453 <te...@exedio.com>: Sender
> >>>>> address rejected: not logged in as owner; from=<te...@exedio.com>
> >>>>> to=<te...@exedio.com> proto=ESMTP helo=<mail.hybrisdd.de>
> >>>>>
> >>>>> i know i have reject_unauth_destination, reject_sender_login_mismatch
> >>>>> and permit_sasl_authenticated in my main.cf and that this cause the
> >>>>> problem, but how do i work around this?
> >>>>>
> >>>>> any help is appreciated
> >>>>>
> >>>>> Here is my main.cf:
> >>>>>
> >>>>> command_directory = /usr/sbin
> >>>>> daemon_directory = /usr/lib/postfix
> >>>>> program_directory = /usr/lib/postfix
> >>>>> setgid_group = postdrop
> >>>>> # appending .domain is the MUA's job.
> >>>>> append_dot_mydomain = no
> >>>>> smtpd_banner = $myhostname ESMTP $mail_name
> >>>>> biff = no
> >>>>> #content_filter = vscan:
> >>>>> soft_bounce = yes
> >>>>> # Uncomment the next line to generate delayed mail warnings
> >>>>> #delay_warning_time = 4h
> >>>>> local_recipient_maps=
> >>>>> myhostname = mail.exedio.com
> >>>>> relayhost =
> >>>>> mynetworks = 127.0.0.0/8, 10.20.10.22/32, 10.20.10.3/32,
> >>>>> 10.20.10.23/32
> >>>>> mailbox_command = procmail -a "$EXTENSION"
> >>>>> mailbox_size_limit = 0
> >>>>> recipient_delimiter = +
> >>>>> myorigin = /etc/mailname
> >>>>>
> >>>>> #smtp_use_tls = yes
> >>>>> #smtpd_use_tls = yes
> >>>>> smtpd_sasl_auth_enable = yes
> >>>>> smtpd_recipient_restrictions = permit_mynetworks,
> >>>>> reject_sender_login_mismatch,
> >>>>> permit_sasl_authenticated,
> >>>>> reject_unauth_destination,
> >>>>> reject_rbl_client relays.ordb.org,
> >>>>> reject_rbl_client sbl.spamhaus.org,
> >>>>> reject_rbl_client opm.blitzed.org,
> >>>>> reject_rbl_client dun.dnsrbl.net,
> >>>>> reject_rbl_client zombie.dnsbl.sorbs.net,
> >>>>> reject_rbl_client list.dsbl.org,
> >>>>> reject_rbl_client blackholes.easynet.nl,
> >>>>> reject_rbl_client cbl.abuseat.org,
> >>>>> permit
> >>>>>
> >>>> hybris GmbH | Dipl. Wirtsch.-Inf.
> >>>> F_rstereistr. 19 | Thomas Otto
> >>>> D-01099 Dresden | IT-Administration
> >>>> |
> >>>> t +49(0)351 4108-100 |
> >>>> f +49(0)351 4108-199 | thoma...@hybris.de
> >>>> m +49(0)177 4209 762 | www.hybris.de
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >
> >
>
>
> --
> hybris GmbH | Dipl. Wirtsch.-Inf.
> F?rstereistr. 19 | Thomas Otto
Thomas Otto
thanks for your hints.
i've solved the problem with some help (special thanks to ralf hildebrand=
t)
disabling the smtpd_sender_login_maps don't solve this problem. (i've=20
tested it)
the solution is disabling smtpd_sender_login_maps AND remove=20
reject_sender_login_mismatch from smtpd_recipient_restrictions.
now everything is ok, exept the fact that every authenticated user is=20
now able to fake his From: adress.
best regards,
Thomas Otto
PS: i get your suggestion 1) as a joke
Wietse Venema wrote:
> The following message:
>=20
> www.hybrisdd.de[195.243.217.212]: 453 <te...@exedio.com>: Sender
> address rejected: not logged in as owner; from=3D<te...@exedio.com>=
> to=3D<te...@exedio.com> proto=3DESMTP helo=3D<mail.hybrisdd.de>
>=20
> does NOT depend on the RECIPIENT. It depends on the SENDER.
>=20
> The mail is rejected because mail.hybrisdd.de is not SASL authenticated=
> as the user who owns the te...@exedio.com sender address.
>=20
> If you must be able to receive the above mail, do one of the
> following:
>=20
> 1) whitelist www.hybrisdd.de before the reject_sender_login_mismatch
> restriction, perhaps by adding it to mynetworks in main.cf.
>=20
> 2) remove the user from smtpd_sender_login_maps,
>=20
> 3) disable smtpd_sender_login_maps altogether.
>=20
> Wietse
>=20
> Thomas Otto:
>=20
>>disabling smtpd_sender_login_maps breaks SASL Authentication.
>>any hints to solve my problem?
>>
>>any help apreciated
>>
>>cu tommi
>>
>>Thomas Otto wrote:
>>
>>>yes i know this. thats exactly my problem...
>>>normal sending via SASL Auth must work, and these loop-back mails too.=
=20
>>>but these are not authenticated... thats the problem.
>>>would SASL Auth work if i set smtpd_sender_login_maps =3D "" ?
>>>
>>>cu tommi
>>>
>>>
>>>Wietse Venema wrote:
>>>
>>>
>>>>You want to receive mail FROM te...@exedio.com WITHOUT SASL
>>>>authentication.
>>
>>the point is that the destination is te...@exedio.com
>>
>>
>>>>Therefore you must turn off the smtpd_sender_login_maps feature.
>>>>
>>>> Wietse
>>>>
>>>>Wietse Venema:
>>>>
>>>>
>>>>>The smtpd_sender_login_maps feature is described in sample-smtpd.cf.=
>>>>>It Postfix behaves contrary to this description, then please point
>>>>>out the problem.
>>>>>
>>>>> Wietse
>>>>>
>>>>>Thomas Otto:
>>>>>
>>>>>
>>>>>>are there really no hints to solve this problem?
>>>>>>
>>>>>>cu tommi
>>>>>>
>>>>>>Thomas Otto wrote:
>>>>>>
>>>>>>
>>>>>>>Hi List!
>>>>>>>
>>>>>>>I have a problem with authentication and aliases on remote mail se=
rver
>>>>>>>which sends the mail back to my server.
>>>>>>>Postfix 2.0.13 works normal. Authentication with SASL works too.=20
>>>>>>>Sending to other domains and to lokal domains work, and reciving=20
>>>>>>>for lokal/virtual domains works.
>>>>>>>But when te...@exedio.com send a mail to bl...@domain2.com on anoth=
er
>>>>>>>mail server and this user has an alias configured to test2@exedio.=
com,
>>>>>>>my mailserver will reject this mail. This ist whats in the logs.
>>>>>>>
>>>>>>>Aug 4 09:15:28 mail postfix/smtpd[22803]: E48E9C6E: reject: RCPT =
>>>>>>>from=3D
>>>>>>>www.hybrisdd.de[195.243.217.212]: 453 <te...@exedio.com>: Sender=20
>>>>>>>address rejected: not logged in as owner; from=3D<te...@exedio.com=
>=20
>>>>>>>to=3D<te...@exedio.com> proto=3DESMTP helo=3D<mail.hybrisdd.de>
>>>>>>>
>>>>>>>i know i have reject_unauth_destination, reject_sender_login_misma=
tch
>>>>>>>and permit_sasl_authenticated in my main.cf and that this cause th=
e=20
>>>>>>>problem, but how do i work around this?
>>>>>>>
>>>>>>>any help is appreciated
>>>>>>>
>>>>>>>Here is my main.cf:
>>>>>>>
>>>>>>>command_directory =3D /usr/sbin
>>>>>>>daemon_directory =3D /usr/lib/postfix
>>>>>>>program_directory =3D /usr/lib/postfix
>>>>>>>setgid_group =3D postdrop
>>>>>>># appending .domain is the MUA's job.
>>>>>>>append_dot_mydomain =3D no
>>>>>>>smtpd_banner =3D $myhostname ESMTP $mail_name
>>>>>>>biff =3D no
>>>>>>>#content_filter =3D vscan:
>>>>>>>soft_bounce =3D yes
>>>>>>># Uncomment the next line to generate delayed mail warnings
>>>>>>>#delay_warning_time =3D 4h
>>>>>>>local_recipient_maps=3D
>>>>>>>myhostname =3D mail.exedio.com
>>>>>>>relayhost =3D
>>>>>>>mynetworks =3D 127.0.0.0/8, 10.20.10.22/32, 10.20.10.3/32,=20
>>>>>>>10.20.10.23/32
>>>>>>>mailbox_command =3D procmail -a "$EXTENSION"
>>>>>>>mailbox_size_limit =3D 0
>>>>>>>recipient_delimiter =3D +
>>>>>>>myorigin =3D /etc/mailname
>>>>>>>
>>>>>>>#smtp_use_tls =3D yes
>>>>>>>#smtpd_use_tls =3D yes
>>>>>>>smtpd_sasl_auth_enable =3D yes
>>>>>>>smtpd_recipient_restrictions =3D permit_mynetworks,
>>>>>>> reject_sender_login_mismatch,
>>>>>>> permit_sasl_authenticated,
>>>>>>> reject_unauth_destination,
>>>>>>> reject_rbl_client relays.ordb.org,
>>>>>>> reject_rbl_client sbl.spamhaus.org,
>>>>>>> reject_rbl_client opm.blitzed.org,
>>>>>>> reject_rbl_client dun.dnsrbl.net,
>>>>>>> reject_rbl_client zombie.dnsbl.sorbs.net,
>>>>>>> reject_rbl_client list.dsbl.org,
>>>>>>> reject_rbl_client blackholes.easynet.nl,
>>>>>>> reject_rbl_client cbl.abuseat.org,
>>>>>>> permit
>>>>>>>
>>>>>>>smtpd_sasl_security_options =3D noanonymous
>>>>>>>smtpd_sasl_local_domain =3D $myhostname
>>>>>>>smtpd_sender_login_maps =3D ldap:ldapvirtualmaps
>>>>>>>#mydestination =3D mail.exedio.com, localhost, localhost.$mydomain=
,=20
>>>>>>>ldap:acceptdomains
>>>>>>>mydestination =3D localhost, localhost.$mydomain
>>>>>>>
>>>>>>>virtual_alias_maps=3D ldap:ldapaliases, ldap:ldapvirtualmaps
>>>>>>>virtual_maps=3D ldap:ldapvirtualmbox
>>>>>>>virtual_mailbox_domains=3D ldap:acceptdomains
>>>>>>>local_transport =3D virtual
>>>>>>>
>>>>>>>virtual_mailbox_base =3D /
>>>>>>>virtual_mailbox_maps =3D ldap:ldapvirtualmbox
>>>>>>>virtual_uid_maps =3D static:1500
>>>>>>>virtual_gid_maps =3D static:1500
>>>>>>>virtual_minimum_uid =3D 500
>>>>>>>virtual_mailbox_limit =3D 0
>>>>>>>
>>>>>>>ldapvirtualmbox_server_host =3D admin1.exedio.com
>>>>>>>ldapvirtualmbox_server_port =3D 389
>>>>>>>ldapvirtualmbox_bind =3D yes
>>>>>>>ldapvirtualmbox_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
>>>>>>>ldapvirtualmbox_bind_pw =3D XXX
>>>>>>>ldapvirtualmbox_search_base =3D ou=3DDresden,ou=3DPeople,dc=3Dexed=
io,dc=3Dcom
>>>>>>>ldapvirtualmbox_query_filter =3D=20
>>>>>>>(&(|(mail=3D%s)(mailAlternateAddress=3D%s)))
>>>>>>>ldapvirtualmbox_result_attribute =3D mailMessageStore
>>>>>>>
>>>>>>>ldapvirtualmaps_server_host =3D admin1.exedio.com
>>>>>>>ldapvirtualmaps_server_port =3D 389
>>>>>>>ldapvirtualmaps_bind =3D yes
>>>>>>>ldapvirtualmaps_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
>>>>>>>ldapvirtualmaps_bind_pw =3D XXX
>>>>>>>ldapvirtualmaps_search_base =3D ou=3DDresden,ou=3DPeople,dc=3Dexed=
io,dc=3Dcom
>>>>>>>ldapvirtualmaps_query_filter =3D=20
>>>>>>>(&(|(mail=3D%s)(mailAlternateAddress=3D%s)))
>>>>>>>ldapvirtualmaps_result_attribute =3D mail
>>>>>>>
>>>>>>>acceptdomains_server_host =3D admin1.exedio.com
>>>>>>>acceptdomains_server_port =3D 389
>>>>>>>acceptdomains_bind =3D yes
>>>>>>>acceptdomains_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
>>>>>>>acceptdomains_bind_pw =3D XXX
>>>>>>>acceptdomains_search_base =3D ou=3DDomains,ou=3DPostfix,dc=3Dexedi=
o,dc=3Dcom
>>>>>>>acceptdomains_query_filter =3D (associatedDomain=3D%s)
>>>>>>>acceptdomains_result_attribute =3D associatedDomain
>>>>>>>
>>>>>>>ldapaliases_server_host =3D admin1.exedio.com
>>>>>>>ldapaliases_server_port =3D 389
>>>>>>>ldapaliases_bind =3D yes
>>>>>>>ldapaliases_bind_dn =3D cn=3Dadmin,dc=3Dexedio,dc=3Dcom
>>>>>>>ldapaliases_bind_pw =3D XXX
>>>>>>>ldapaliases_search_base =3D ou=3DAliases,ou=3DPostfix,dc=3Dexedio,=
dc=3Dcom
>>>>>>>ldapaliases_query_filter =3D (mail=3D%s)
>>>>>>>ldapaliases_result_attribute =3D maildrop
>>>>>>>
>>>>>>>
>>>>>>>Thomas Otto
>>>>>>
>>>>>>
>>>>>>--=20
>>>>>>hybris GmbH | Dipl. Wirtsch.-Inf.
>>>>>>F_rstereistr. 19 | Thomas Otto
>>>>>>D-01099 Dresden | IT-Administration
>>>>>> |
>>>>>>t +49(0)351 4108-100 |
>>>>>>f +49(0)351 4108-199 | thoma...@hybris.de
>>>>>>m +49(0)177 4209 762 | www.hybris.de
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>
>>--=20
>>hybris GmbH | Dipl. Wirtsch.-Inf.
>>F?rstereistr. 19 | Thomas Otto
>>D-01099 Dresden | IT-Administration
>> |
>>t +49(0)351 4108-100 |
>>f +49(0)351 4108-199 | thoma...@hybris.de
>>m +49(0)177 4209 762 | www.hybris.de
>>
>>
>>
>=20
>=20
--=20
hybris GmbH | Dipl. Wirtsch.-Inf.
F=F6rstereistr. 19 | Thomas Otto
Wietse Venema
> hi wietse!
>
> thanks for your hints.
> disabling the smtpd_sender_login_maps don't solve this problem. (i've
> the solution is disabling smtpd_sender_login_maps AND remove
> now everything is ok, exept the fact that every authenticated user is
>
> best regards,
> Thomas Otto
> PS: i get your suggestion 1) as a joke
Your solution is worse because it allows EVERYONE on the internet
to fake the sender address of your local users.
My suggestion is better, because it allows only www.hybrisdd.de to
fake the sender address of your local users.
Wietse
> Wietse Venema wrote:
> > The following message:
> >
> > www.hybrisdd.de[195.243.217.212]: 453 <te...@exedio.com>: Sender
> > address rejected: not logged in as owner; from=<te...@exedio.com>
> > to=<te...@exedio.com> proto=ESMTP helo=<mail.hybrisdd.de>
> >
> > does NOT depend on the RECIPIENT. It depends on the SENDER.
> >
> > The mail is rejected because mail.hybrisdd.de is not SASL authenticated
> > as the user who owns the te...@exedio.com sender address.
> >
> > If you must be able to receive the above mail, do one of the
> > following:
> >
> > 1) whitelist www.hybrisdd.de before the reject_sender_login_mismatch
> > restriction, perhaps by adding it to mynetworks in main.cf.
> >
> > 2) remove the user from smtpd_sender_login_maps,
> >
> > 3) disable smtpd_sender_login_maps altogether.
> >
> > Wietse
> >
> > Thomas Otto:
> >
> >>disabling smtpd_sender_login_maps breaks SASL Authentication.
> >>any hints to solve my problem?
> >>
> >>any help apreciated
> >>
> >>cu tommi
> >>
> >>Thomas Otto wrote:
> >>
> >>>yes i know this. thats exactly my problem...
> >>>normal sending via SASL Auth must work, and these loop-back mails too.
> >>>but these are not authenticated... thats the problem.
> >>>would SASL Auth work if i set smtpd_sender_login_maps = "" ?
> >>>
> >>>cu tommi
> >>>
> >>>
> >>>Wietse Venema wrote:
> >>>
> >>>
> >>>>You want to receive mail FROM te...@exedio.com WITHOUT SASL
> >>>>authentication.
> >>
> >>the point is that the destination is te...@exedio.com
> >>
> >>
> >>>>Therefore you must turn off the smtpd_sender_login_maps feature.
> >>>>
> >>>> Wietse
> >>>>
> >>>>Wietse Venema:
> >>>>
> >>>>
> >>>>>The smtpd_sender_login_maps feature is described in sample-smtpd.cf.
> >>>>>It Postfix behaves contrary to this description, then please point
> >>>>>out the problem.
> >>>>>
> >>>>> Wietse
> >>>>>
> >>>>>Thomas Otto:
> >>>>>
> >>>>>
> >>>>>>are there really no hints to solve this problem?
> >>>>>>
> >>>>>>cu tommi
> >>>>>>
> >>>>>>Thomas Otto wrote:
> >>>>>>
> >>>>>>
> >>>>>>>Hi List!
> >>>>>>>
> >>>>>>>I have a problem with authentication and aliases on remote mail server
> >>>>>>>which sends the mail back to my server.
> >>>>>>>Postfix 2.0.13 works normal. Authentication with SASL works too.
> >>>>>>>Sending to other domains and to lokal domains work, and reciving
> >>>>>>>for lokal/virtual domains works.
> >>>>>>>But when te...@exedio.com send a mail to bl...@domain2.com on another
> >>>>>>>mail server and this user has an alias configured to te...@exedio.com,
> >>>>>>>my mailserver will reject this mail. This ist whats in the logs.
> >>>>>>>
> >>>>>>>Aug 4 09:15:28 mail postfix/smtpd[22803]: E48E9C6E: reject: RCPT
> >>>>>>>from=
> >>>>>>>www.hybrisdd.de[195.243.217.212]: 453 <te...@exedio.com>: Sender
> >>>>>>>address rejected: not logged in as owner; from=<te...@exedio.com>
> >>>>>>>to=<te...@exedio.com> proto=ESMTP helo=<mail.hybrisdd.de>
> >>>>>>>
> >>>>>>>i know i have reject_unauth_destination, reject_sender_login_mismatch
> >>>>>>>and permit_sasl_authenticated in my main.cf and that this cause the
> >>>>>>>problem, but how do i work around this?
> >>>>>>>
> >>>>>>>any help is appreciated
> >>>>>>>
> >>>>>>>Here is my main.cf:
> >>>>>>>
> >>>>>>>command_directory = /usr/sbin
> >>>>>>>daemon_directory = /usr/lib/postfix
> >>>>>>>program_directory = /usr/lib/postfix
> >>>>>>>setgid_group = postdrop
> >>>>>>># appending .domain is the MUA's job.
> >>>>>>>append_dot_mydomain = no
> >>>>>>>smtpd_banner = $myhostname ESMTP $mail_name
> >>>>>>>biff = no
> >>>>>>>#content_filter = vscan:
> >>>>>>>soft_bounce = yes
> >>>>>>># Uncomment the next line to generate delayed mail warnings
> >>>>>>>#delay_warning_time = 4h
> >>>>>>>local_recipient_maps=
> >>>>>>>myhostname = mail.exedio.com
> >>>>>>>relayhost =
> >>>>>>>mynetworks = 127.0.0.0/8, 10.20.10.22/32, 10.20.10.3/32,
> >>>>>>>10.20.10.23/32
> >>>>>>>mailbox_command = procmail -a "$EXTENSION"
> >>>>>>>mailbox_size_limit = 0
> >>>>>>>recipient_delimiter = +
> >>>>>>>myorigin = /etc/mailname
> >>>>>>>
> >>>>>>>#smtp_use_tls = yes
> >>>>>>>#smtpd_use_tls = yes
> >>>>>>>smtpd_sasl_auth_enable = yes
> >>>>>>>smtpd_recipient_restrictions = permit_mynetworks,
> >>>>>>> reject_sender_login_mismatch,
> >>>>>>> permit_sasl_authenticated,
> >>>>>>> reject_unauth_destination,
> >>>>>>> reject_rbl_client relays.ordb.org,
> >>>>>>> reject_rbl_client sbl.spamhaus.org,
> >>>>>>> reject_rbl_client opm.blitzed.org,
> >>>>>>> reject_rbl_client dun.dnsrbl.net,
> >>>>>>> reject_rbl_client zombie.dnsbl.sorbs.net,
> >>>>>>> reject_rbl_client list.dsbl.org,
> >>>>>>> reject_rbl_client blackholes.easynet.nl,
> >>>>>>> reject_rbl_client cbl.abuseat.org,
> >>>>>>> permit
> >>>>>>>
> >>>>>>hybris GmbH | Dipl. Wirtsch.-Inf.
> >>>>>>F_rstereistr. 19 | Thomas Otto
> >>>>>>D-01099 Dresden | IT-Administration
> >>>>>> |
> >>>>>>t +49(0)351 4108-100 |
> >>>>>>f +49(0)351 4108-199 | thoma...@hybris.de
> >>>>>>m +49(0)177 4209 762 | www.hybris.de
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>
> >>
> >>--
> >>hybris GmbH | Dipl. Wirtsch.-Inf.
> >>F?rstereistr. 19 | Thomas Otto
> >>D-01099 Dresden | IT-Administration
> >> |
> >>t +49(0)351 4108-100 |
> >>f +49(0)351 4108-199 | thoma...@hybris.de
> >>m +49(0)177 4209 762 | www.hybris.de
> >>
> >>
> >>
> >
> >
>
>
> --
Thomas Otto
following scenario:
us...@domain1.com at our company has a private mail account elsewhere on =
the internet, lets say bl...@web.de. on web.de he has a forward entry=20
activated to his company mail account us...@domain1.com.
now someone other in our company write a email to the private account=20
(using SASL auth). this user could be us...@domain1.com.
the mail now arives at web.de an will be send back to us.
this message will be rejected because the sender is from domain1.com=20
and the server wants authentication for this sender.
your suggestion 1) is whitelisting web.de ...
and next week? whitelisting aol.com, mail.com, gmx.de etc. or whereever=20
the users could have forwarding entries back to us (every mail server)?
i hope no one on the internet can fake the sender addresses of my lokal=20
users (except the ones per SASL auth, and thats a problem).
cu tommi
Wietse Venema wrote:
> Thomas Otto:
>=20
>>hi wietse!
>>
>>thanks for your hints.
>>i've solved the problem with some help (special thanks to ralf hildebra=
ndt)
>>disabling the smtpd_sender_login_maps don't solve this problem. (i've=20
>>tested it)
>>the solution is disabling smtpd_sender_login_maps AND remove=20
>>reject_sender_login_mismatch from smtpd_recipient_restrictions.
>>now everything is ok, exept the fact that every authenticated user is=20
>>now able to fake his From: adress.
>>
>>best regards,
>>Thomas Otto
>>PS: i get your suggestion 1) as a joke
>=20
>=20
> Your solution is worse because it allows EVERYONE on the internet
> to fake the sender address of your local users.
>=20
> My suggestion is better, because it allows only www.hybrisdd.de to
> fake the sender address of your local users.
>=20
> Wietse
>=20
>=20
>>Wietse Venema wrote:
>>
>>>The following message:
>>>
>>> www.hybrisdd.de[195.243.217.212]: 453 <te...@exedio.com>: Sender
>>> address rejected: not logged in as owner; from=3D<te...@exedio.com=
>
>>> to=3D<te...@exedio.com> proto=3DESMTP helo=3D<mail.hybrisdd.de>
>>>
>>>does NOT depend on the RECIPIENT. It depends on the SENDER.
>>>
>>>The mail is rejected because mail.hybrisdd.de is not SASL authenticate=
d
>>>as the user who owns the te...@exedio.com sender address.
>>>
>>>If you must be able to receive the above mail, do one of the
>>>following:
>>>
>>>1) whitelist www.hybrisdd.de before the reject_sender_login_mismatch
>>> restriction, perhaps by adding it to mynetworks in main.cf.
>>>
>>>2) remove the user from smtpd_sender_login_maps,
>>>
>>>3) disable smtpd_sender_login_maps altogether.
>>>
>>> Wietse
>>>
--=20
hybris GmbH | Dipl. Wirtsch.-Inf.
F=F6rstereistr. 19 | Thomas Otto