On Sun, Mar 10, 2024 at 09:19:09PM -0700, Glenn Tenney via Postfix-users wrote:
> Gmail can login to the imap as "auser", but... when it tries to send > as "au...@domain.name" I get the following error: > > Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE: > reject: RCPT from mail-oo1-f41.google.com[209.85.161.41]: 553 5.7.1 > <au...@domain.name>: Sender address rejected: not owned by user auser; > from=<au...@domain.name> to=<anotheru...@anotherdomain.name> > proto=ESMTP helo=<mail-oo1-f41.google.com> You've implemented smtpd_sender_login_maps and reject_sender_login_mismatch or an equivalent variant, but the entry for that sender address does list the actual SASL login used (which is shown in an earlier log entry for the same SMTP transaction). > I'm guessing that the issue is that postfix/dovecot sees only "auser" > and if instead it saw "au...@domain.name" it would work, but I > couldn't find any way to be able to login that way. No, the issue is the content of your sender login table. > (2) Postfix sends to gmail, but does not encrypt when sending. You need to enable outbound STARTTLS, possibly mandatory for "smtp.gmail.com", ideally even with certificate checks, to avoid leaking the account password in case of an MiTM attack. Is this submission traffic, or traffic to random gmail users? > shlib_directory = /usr/local/lib/postfix > smtp_tls_CApath = /etc/ssl/certs > smtp_tls_loglevel = 1 Missing "smtp_tls_security_level = may". And if doing submission via GMail, ideally also a TLS policy table entry for "[smtp.gmail.com]:587", though it is not yet clear how you route mail to the GMail submission service. > smtpd_sasl_auth_enable = yes Best done only for the TLS submission ports, in master.cf and left disabled on port 25. > smtpd_sender_login_maps = hash:/usr/local/etc/postfix/senderlogin This (combined with unposted definitions, postconf -Mf, of the submission services in master.cf) is the source of breakage in #1. > smtpd_tls_protocols = !SSLv2, !SSLv3 Just use the default. > smtpd_tls_security_level = may > smtpd_use_tls = yes The second is redundant and obsolete (deprecated). If you post also the "client=" log entry for the transaction of interest, the "postconf -Mf" output and the content of the sender login table, more help will be possible. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org