Hello,
I'm a bit confused about whether Postfix considers a client
authenticated using XCLIENT to be SASL-authenticated or not.
Apparently "permit_sasl_authenticated" says no but
"reject_sender_login_mismatch" says yes.
For context, I'm using Dovecot submission service, which handles
connections from SMTP client and, if authentication is successful,
proxies them to a dedicated Postfix port and provides client data using
XCLIENT.
From the logs, I can see Postfix do consider the clients to be
authenticated. However when evaluating relay restrictions, the check
"permit_sasl_authenticated" fails but "reject_sender_login_mismatch"
succeeds (i.e. doesn't reject the client).
Is this intended behavior? If so, what is the recommended way to
integrate XCLIENT authentication with "smtpd_relay_restrictions"?
Setting "smtpd_relay_restrictions=permit_sasl_authenticated,reject"
doesn't work (clients get rejected), which is how I stumbled onto this
whole thing.
In theory, just "smtpd_relay_restrictions=permit" would make sense in my
scenario as the client doesn't get to speak to Postfix until it has been
successfully authenticated by Dovecot. But that just makes Postfix angry
("fatal: in parameter smtpd_relay_restrictions or
smtpd_recipient_restrictions, specify at least one working instance of:
reject_unauth_destination, defer_unauth_destination, reject, defer,
defer_if_permit or check_relay_domains").
So I ended up with "smtpd_relay_restrictions =check_client_access
static:{OK},reject", but that looks like an ugly hack.
Here are the interesting bits from the logs:
Sep 30 16:48:03 mail postfix/submission/smtpd[146485]: < localhost[::1]:
XCLIENT HELO=[10.4.12.109] PROTO=ESMTP LOGIN=[REDACTED-USERNAME]
PORT=50797 ADDR=10.4.12.109
[...]
Sep 30 16:48:03 mail postfix/submission/smtpd[146485]: generic_checks:
name=reject_sender_login_mismatch
Sep 30 16:48:03 mail postfix/submission/smtpd[146485]: >>> START Sender
address RESTRICTIONS <<<
Sep 30 16:48:03 mail postfix/submission/smtpd[146485]: generic_checks:
name=reject_authenticated_sender_login_mismatch
Sep 30 16:48:03 mail postfix/submission/smtpd[146485]: ctable_locate:
leave existing entry key ?[REDACTED-EMAIL]
Sep 30 16:48:03 mail postfix/submission/smtpd[146485]: maps_find:
smtpd_sender_login_maps:
hash:/etc/postfix/relay-logins(0,lock|fold_fix|utf8_request):
[REDACTED-EMAIL] = [REDACTED-USERNAME]
Sep 30 16:48:03 mail postfix/submission/smtpd[146485]: mail_addr_find:
[REDACTED-EMAIL] -> [REDACTED-USERNAME]
Sep 30 16:48:03 mail postfix/submission/smtpd[146485]: generic_checks:
name=reject_authenticated_sender_login_mismatch status=0
Sep 30 16:48:03 mail postfix/submission/smtpd[146485]: generic_checks:
name=reject_unauthenticated_sender_login_mismatch
Sep 30 16:48:03 mail postfix/submission/smtpd[146485]: generic_checks:
name=reject_unauthenticated_sender_login_mismatch status=0
Sep 30 16:48:03 mail postfix/submission/smtpd[146485]: >>> END Sender
address RESTRICTIONS <<<
Sep 30 16:48:03 mail postfix/submission/smtpd[146485]: generic_checks:
name=reject_sender_login_mismatch status=0
[...]
Sep 30 16:48:03 mail postfix/submission/smtpd[146485]: generic_checks:
name=permit_sasl_authenticated
Sep 30 16:48:03 mail postfix/submission/smtpd[146485]: generic_checks:
name=permit_sasl_authenticated status=0
[...]
Sep 30 16:48:03 mail postfix/submission/smtpd[146485]: 8FE93E003C:
client=localhost[10.4.12.109], sasl_method=XCLIENT,
sasl_username=[REDACTED-USERNAME]
Any thoughts?
Thanks!
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
