Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
"smtp_sasl_auth_enable = yes" for specific peers only?
273 views
Skip to first unread message
Robert Senger
May 5, 2015, 4:23:13 PM5/5/15
to
Hi,
I am having trouble sending mail to a specific smtp host, which is
configured for sasl authentication on port 25.
I have configured Postfix to send smtp mail from a small number of local
domains to the recipient domain's mail exchanger, and to send mail from
non local domains such as gmx.de and gmail.com via the appropriate
relays using sender_dependent lists. All worked fine until today.
The peer that causes trouble is using sasl authentication on port 25, to
allow authenticated users sending mail via smtp instead of submission.
However, if I try to send mail from an address within one of my local
domains to this peer, it fails:
May 5 21:46:08 prokyon postfix/smtp[8971]: 983C83CA2:
to=<sup...@anonymized.eu>,
relay=mail.anonymized.de[217.111.111.111]:25, delay=368,
delays=363/1.9/3.1/0, dsn=4.7.8, status=deferred (SASL authentication
failed; server mail.anonymized.de[217.111.111.111] said: 535 5.7.8
Error: authentication failed: authentication failure)
This is what I get when probing the peer:
root@prokyon:/etc/postfix# telnet mail.anonymized.de 25
Trying 217.111.111.111...
Connected to mail.anonymized.de.
Escape character is '^]'.
220 mail.ktit.de ESMTP Postfix
EHLO mydomain.de
250-mail.anonymized.de
250-PIPELINING
250-SIZE
250-ETRN
250-STARTTLS
250-AUTH LOGIN DIGEST-MD5 CRAM-MD5 PLAIN
250-AUTH=LOGIN DIGEST-MD5 CRAM-MD5 PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
So, my own Postfix tries to authenticate to this server, but of course
fails as it does not have any credentials.
I see that this seems to be caused by the smtp_sasl_auth_enable = yes
flag set in main.cf, which I need because without this, Postfix will
never try to authenticate to the sender_dependent relays, e.g. for
gmail.com.
I don't know what to do about this, is there a way to tell Postfix to
only authenticate to those relays defined in sender_dependent, or only
when connecting to the submission port?
Or can this be a misconfiguration at the peer's side?
Thank you for help,
Robert
I am having trouble sending mail to a specific smtp host, which is
configured for sasl authentication on port 25.
I have configured Postfix to send smtp mail from a small number of local
domains to the recipient domain's mail exchanger, and to send mail from
non local domains such as gmx.de and gmail.com via the appropriate
relays using sender_dependent lists. All worked fine until today.
The peer that causes trouble is using sasl authentication on port 25, to
allow authenticated users sending mail via smtp instead of submission.
However, if I try to send mail from an address within one of my local
domains to this peer, it fails:
May 5 21:46:08 prokyon postfix/smtp[8971]: 983C83CA2:
to=<sup...@anonymized.eu>,
relay=mail.anonymized.de[217.111.111.111]:25, delay=368,
delays=363/1.9/3.1/0, dsn=4.7.8, status=deferred (SASL authentication
failed; server mail.anonymized.de[217.111.111.111] said: 535 5.7.8
Error: authentication failed: authentication failure)
This is what I get when probing the peer:
root@prokyon:/etc/postfix# telnet mail.anonymized.de 25
Trying 217.111.111.111...
Connected to mail.anonymized.de.
Escape character is '^]'.
220 mail.ktit.de ESMTP Postfix
EHLO mydomain.de
250-mail.anonymized.de
250-PIPELINING
250-SIZE
250-ETRN
250-STARTTLS
250-AUTH LOGIN DIGEST-MD5 CRAM-MD5 PLAIN
250-AUTH=LOGIN DIGEST-MD5 CRAM-MD5 PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
So, my own Postfix tries to authenticate to this server, but of course
fails as it does not have any credentials.
I see that this seems to be caused by the smtp_sasl_auth_enable = yes
flag set in main.cf, which I need because without this, Postfix will
never try to authenticate to the sender_dependent relays, e.g. for
gmail.com.
I don't know what to do about this, is there a way to tell Postfix to
only authenticate to those relays defined in sender_dependent, or only
when connecting to the submission port?
Or can this be a misconfiguration at the peer's side?
Thank you for help,
Robert
Wietse Venema
May 5, 2015, 4:46:33 PM5/5/15
to
You can suppress the remote SMTP server's AUTH announcement with
smtp_discard_ehlo_keyword_maps.
Wietse
smtp_discard_ehlo_keyword_maps.
Wietse
Robert Senger
May 5, 2015, 6:09:13 PM5/5/15
to
Hi Wietse,
thanks, I am using Postfix 2.11, and I assume the parameter is
smtp_discard_ehlo_keyword_address_maps, right?
I tried that, and it worked for the specific peer, thanks again.
But I wonder why I never received any bounced error message. I've seen
Postfix retrying several times in the log, until the message vanished
from the queue.
So, if this happens again with any other peer, I don't have a chance to
detect this kind of failure but by checking the logs?
Regards,
Robert
--
Robert Senger <robert...@microscopium.de>
PGP/GPG Public Key ID: 24E78B5E
thanks, I am using Postfix 2.11, and I assume the parameter is
smtp_discard_ehlo_keyword_address_maps, right?
I tried that, and it worked for the specific peer, thanks again.
But I wonder why I never received any bounced error message. I've seen
Postfix retrying several times in the log, until the message vanished
from the queue.
So, if this happens again with any other peer, I don't have a chance to
detect this kind of failure but by checking the logs?
Regards,
Robert
Robert Senger <robert...@microscopium.de>
PGP/GPG Public Key ID: 24E78B5E
Viktor Dukhovni
May 5, 2015, 7:22:25 PM5/5/15
to
On Tue, May 05, 2015 at 10:22:42PM +0200, Robert Senger wrote:
> I am having trouble sending mail to a specific smtp host, which is
> configured for sasl authentication on port 25.
This should have no impact on your machine, unless you also configure
> I am having trouble sending mail to a specific smtp host, which is
> configured for sasl authentication on port 25.
smtp_sasl_password_maps non-empty, and configure a table entry that
matches the nexthop domain (the smtp host in question).
> I have configured Postfix to send smtp mail from a small number of local
> domains to the recipient domain's mail exchanger, and to send mail from
> non local domains such as gmx.de and gmail.com via the appropriate
> relays using sender_dependent lists. All worked fine until today.
MUST either ensure that all outbound mail from the sender in question
goes through the expected relay (for which the sender has credentials),
via sender_dependent_relayhost_maps, or via a different transport
via sender_dependent_default_transport_maps, so that you never
connect to some other relay expecting to authenticate because you've
configured a sender-specific SASL password.
> The peer that causes trouble is using sasl authentication on port 25, to
> allow authenticated users sending mail via smtp instead of submission.
Postfix happily ignores remote "AUTH" by default, unless you've
configured a password for the destination or the sender.
> So, my own Postfix tries to authenticate to this server, but of course
> fails as it does not have any credentials.
> I see that this seems to be caused by the smtp_sasl_auth_enable = yes
> flag set in main.cf, which I need because without this, Postfix will
> never try to authenticate to the sender_dependent relays, e.g. for
> gmail.com.
happens to destinations (or for senders) for which you've set a
password.
> I don't know what to do about this, is there a way to tell Postfix to
> only authenticate to those relays defined in sender_dependent, or only
> when connecting to the submission port?
>
> Or can this be a misconfiguration at the peer's side?
--
Viktor.
Robert Senger
May 6, 2015, 4:04:35 AM5/6/15
to
Hi Viktor,
thank you very much, you gave me the right hint!
In the past, when we had a dynamic ip, we used the gmail relays for
sending mail from the local domains (those relays can be authorized to
send for any domain or email address).
I've commented these lines in the sender_dependent file later when we
got a static ip, but in the sasl_passwd file the login credentials for
the google relays were still present.
So, when Postfix got AUTH from the peer, it tried to authenticate with
the gmail credentials, which of course failed.
Solved, thanks!
Cheers,
Robert
thank you very much, you gave me the right hint!
In the past, when we had a dynamic ip, we used the gmail relays for
sending mail from the local domains (those relays can be authorized to
send for any domain or email address).
I've commented these lines in the sender_dependent file later when we
got a static ip, but in the sasl_passwd file the login credentials for
the google relays were still present.
So, when Postfix got AUTH from the peer, it tried to authenticate with
the gmail credentials, which of course failed.
Solved, thanks!
Cheers,
Robert
0 new messages