[pfx] Re: Documentation - SASL Howto - Errors and Misdirections

[James Feeney via Postfix-users]

Hey Viktor

On Sat, 2025-08-09 at 15:26 +1000, Viktor Dukhovni via Postfix-users wrote:
> As expected, because with "smtpd_delay_reject = no", all checks that
> require *future* data is not available at the time of evaluation are
> skipped.  Since with "smtpd_delay_reject = no" the client restrictions
> are evaluate at connect (before issuing the SMTP server's banner),
> it is *impossible* to evaluate SASL restrictions.
> 
> This is NOT in any way specific to SASL, the same applies to:
> 
>     # This has unavoidable semantic consequences beyond mere timing...
>     #
>     smtpd_delay_reject = no
> 
>     # Pointless, all the checks are premature and ignored.
>     # Only the client IP address, rDNS name, and FCrDNS name are known.
>     #
>     smtpd_client_restrictions =
>         check_sender_access inline:{{j...@example.com = reject}},
>         permit_sasl_authenticated,
>         reject_unauth_destination
> 
>     # Pointless, all the checks are premature and ignored.
>     # In addition to the above, only the client helo name is known.
>     #
>     smtpd_helo_restrictions =
>         permit_sasl_authenticated,
>         check_sender_access inline:{{j...@example.com = reject}},
>         reject_unauth_destination
> 
> The solution for "permit_sasl_authenticated" is to evaluate it in the
> sender restrictions or later, with "smtpd_delay_reject = no", both the
> client and helo restrictions are too early for what should be obvious
> reasons.
> 

Well, the example in Postfix Configuration Parameters suggests using the
"smtpd_client_restrictions" stage for configuration, as:
----
 To reject all SMTP connections from unauthenticated clients, specify
 "smtpd_delay_reject = yes" (which is the default) and use:

    smtpd_client_restrictions = permit_sasl_authenticated, reject
----

"Pointless" is probably not the word to use here.  The posting is a Feature
Request for a Documentation Update, *because* the points you make are not
obvious to someone in need of documentation, being those people who do not
already know how postfix is suppose to work.

That's the point.

By trial and error, I have a configuration that works, but I'm still clueless
about the workings of "reject_authenticated_sender_login_mismatch", if you can
help in understanding that one?

Thanks

> --
>     Viktor.  🇺🇦 Слава Україні!

James   🇺🇦 Перемога для України!
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org