On Sun, Mar 10, 2024 at 09:19:09PM -0700, Glenn Tenney via Postfix-users wrote:
> Gmail can login to the imap as "auser", but... when it tries to send
> as "au...@domain.name" I get the following error:
>
> Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE:
> reject: RCPT from mail-oo1-f41.google.com[209.85.161.41]: 553 5.7.1
> <au...@domain.name>: Sender address rejected: not owned by user auser;
> from=<au...@domain.name> to=<anotheru...@anotherdomain.name>
> proto=ESMTP helo=<mail-oo1-f41.google.com>
You've implemented smtpd_sender_login_maps and
reject_sender_login_mismatch or an equivalent variant, but the entry
for that sender address does list the actual SASL login used (which
is shown in an earlier log entry for the same SMTP transaction).
> I'm guessing that the issue is that postfix/dovecot sees only "auser"
> and if instead it saw "au...@domain.name" it would work, but I
> couldn't find any way to be able to login that way.
No, the issue is the content of your sender login table.
> (2) Postfix sends to gmail, but does not encrypt when sending.
You need to enable outbound STARTTLS, possibly mandatory for
"smtp.gmail.com", ideally even with certificate checks, to avoid leaking
the account password in case of an MiTM attack. Is this submission
traffic, or traffic to random gmail users?
> shlib_directory = /usr/local/lib/postfix
> smtp_tls_CApath = /etc/ssl/certs
> smtp_tls_loglevel = 1
Missing "smtp_tls_security_level = may". And if doing submission via
GMail, ideally also a TLS policy table entry for "[smtp.gmail.com]:587",
though it is not yet clear how you route mail to the GMail submission
service.
> smtpd_sasl_auth_enable = yes
Best done only for the TLS submission ports, in master.cf and left
disabled on port 25.
> smtpd_sender_login_maps = hash:/usr/local/etc/postfix/senderlogin
This (combined with unposted definitions, postconf -Mf, of the
submission services in master.cf) is the source of breakage in #1.
> smtpd_tls_protocols = !SSLv2, !SSLv3
Just use the default.
> smtpd_tls_security_level = may
> smtpd_use_tls = yes
The second is redundant and obsolete (deprecated).
If you post also the "client=" log entry for the transaction of
interest, the "postconf -Mf" output and the content of the sender login
table, more help will be possible.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
