[pfx] Re: Postfix + Dovecot FreeBSD - a problem

Mon, 11 Mar 2024 19:54:30 -0700 

On Mon, Mar 11, 2024 at 5:13 PM Viktor Dukhovni via Postfix-users
<postfix-users@postfix.org> wrote:

thanks for your patience with me and your help!

> The reject message in your original post was:
>
>     Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE:
>         reject: RCPT from mail-oo1-f41.google.com[209.85.161.41]: 553 5.7.1
>         <au...@domain.name>: Sender address rejected: not owned by user auser;
>         from=<au...@domain.name> to=<anotheru...@anotherdomain.name>
>         proto=ESMTP helo=<mail-oo1-f41.google.com>
>
> Which means that the lookup key "au...@domain.name" does not in fact map
> to "auser" in the indexed (hash table) file:
>
> You can examine the hash table with:
>     postmap -q au...@domain.name hash:/usr/local/etc/postfix/senderlogin

Here are the results... To me it would sure seem that
au...@domain.name does map to auser and vice-versa.

  % postmap -q au...@domain.name hash:/usr/local/etc/postfix/senderlogin
  auser
  % postmap -q auser hash:/usr/local/etc/postfix/senderlogin
  au...@domain.name

> Which explains the source of the problem.  Just remove that erroneous
> setting.  The virtual(5) alias table is not your sender -> sasl login
> table.

done

> You should also remove the "smtpd_sasl_auth_enable = yes" from
> "mail.cf", leaving just the "-o smtpd_sasl_auth_enable=yes" above, and
> in main.cf set:

No "mail.cf", but only "-o" is left...

> Also in the above submission service set:
>     smtpd_tls_security_level=encrypt

done


BUT the problem remains...

> > I don't see "client=" anywhere in the logs...
>
> Well, it has to be there, unless your syslog configuration filters it
> out.  Here's an example (long line folded) from my system:
>
>     Mar 10 18:28:39 amnesiac postfix/submission/smtpd[555754]:
>         00D8B893CE0: client=<censored>, sasl_method=<censored>,
>         sasl_username=<censored>

I truly have no clue why my maillog is so different than yours. I set
"smtpd_tls_loglevel = 2" and here's the log (on the machine running
postfix @ domain.name) from gmail connecting, and logging in as
"auser" and then trying to send an email as "auser" back to me here at
gmail:

Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: initializing
the server-side TLS engine
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: connect from
mail-ua1-f50.google.com[209.85.222.50]
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: setting up
TLS connection from mail-ua1-f50.google.com[209.85.222.50]
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]:
mail-ua1-f50.google.com[209.85.222.50]: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH"
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]:
SSL_accept:before SSL initialization
Mar 11 18:57:11 MACHINE syslogd: last message repeated 1 times
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]:
SSL_accept:SSLv3/TLS read client hello
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]:
SSL_accept:SSLv3/TLS write server hello
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]:
SSL_accept:SSLv3/TLS write change cipher spec
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]:
SSL_accept:TLSv1.3 write encrypted extensions
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]:
SSL_accept:SSLv3/TLS write certificate
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]:
SSL_accept:TLSv1.3 write server certificate verify
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]:
SSL_accept:SSLv3/TLS write finished
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]:
SSL_accept:TLSv1.3 early data
Mar 11 18:57:11 MACHINE syslogd: last message repeated 1 times
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]:
SSL_accept:SSLv3/TLS read finished
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]:
mail-ua1-f50.google.com[209.85.222.50]: Issuing session ticket, key
expiration: 1710210430
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]:
SSL_accept:SSLv3/TLS write session ticket
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: Anonymous TLS
connection established from mail-ua1-f50.google.com[209.85.222.50]:
TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange
X25519 server-signature ECDSA (P-256) server-digest SHA256
Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: NOQUEUE:
reject: RCPT from mail-ua1-f50.google.com[209.85.222.50]: 553 5.7.1
<au...@domain.name>: Sender address rejected: not owned by user auser;
from=<au...@domain.name> to=<glenn.ten...@gmail.com> proto=ESMTP
helo=<mail-ua1-f50.google.com>
Mar 11 18:57:12 MACHINE postfix/submission/smtpd[40225]: disconnect
from mail-ua1-f50.google.com[209.85.222.50] ehlo=2 starttls=1 auth=1
mail=1 rcpt=0/1 bdat=0/1 quit=1 commands=6/8


And with all of the various changes made, here's the most recent postconf -Mf

smtp       inet  n       -       y       -       -       smtpd
submission inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_wrappermode=no
    -o smtpd_tls_security_level=may
    -o smtpd_sasl_auth_enable=yes
    -o 
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_sasl_local_domain=$myhostname
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_restrictions=reject_sender_login_mismatch
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
    -o syslog_name=postfix/$service_name
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
postlog    unix-dgram n  -       n       -       1       postlogd
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to