Dnia 30.09.2024 o godz. 18:53:29 Antonin VERRIER via Postfix-users pisze:
> For context, I'm using Dovecot submission service, which handles
> connections from SMTP client and, if authentication is successful,
> proxies them to a dedicated Postfix port and provides client data
> using XCLIENT.
>
> From the logs, I can see Postfix do consider the clients to be
> authenticated. However when evaluating relay restrictions, the check
> "permit_sasl_authenticated" fails but "reject_sender_login_mismatch"
> succeeds (i.e. doesn't reject the client).
>
> Is this intended behavior? If so, what is the recommended way to
> integrate XCLIENT authentication with "smtpd_relay_restrictions"?
>
> Setting "smtpd_relay_restrictions=permit_sasl_authenticated,reject"
> doesn't work (clients get rejected), which is how I stumbled onto
> this whole thing.
>
> In theory, just "smtpd_relay_restrictions=permit" would make sense
> in my scenario as the client doesn't get to speak to Postfix until
> it has been successfully authenticated by Dovecot. But that just
> makes Postfix angry ("fatal: in parameter smtpd_relay_restrictions
> or smtpd_recipient_restrictions, specify at least one working
> instance of: reject_unauth_destination, defer_unauth_destination,
> reject, defer, defer_if_permit or check_relay_domains").
>
> So I ended up with "smtpd_relay_restrictions =check_client_access
> static:{OK},reject", but that looks like an ugly hack.
As clients are preauthenticated by Dovecot, there's no need to authenticate
them again in Postfix, as you noticed. Just permit all connections coming
from localhost.
"smtpd_relay_restrictions=permit_mynetworks,reject" should do what you want.
While I don't know the exact value of your "mynetworks" parameter, it almost
always includes localhost :).
Normally one does always start the restrictions with "permit_mynetworks",
so you wouldn't run into the issue you just described.
--
Regards,
Jaroslaw Rafa
r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
