> On Sat, Jan 22, 2022 at 02:03:29PM -0500, Joe Acquisto-j4 wrote:
>
>> > IIRC Wietse already suggested a work-around, by making the
>> > sender-dependent authentication settings be transport-specific.
>> >
>> > In particular the internal nexthop that does not do SASL should be
>> > handled by a transport in which sender-dependent authentication is
>> > disabled.
>>
>> I do desire outgoing email, with the "next hop" being my ISP, to have
>> sender dependent authentication. Incoming email, once processed by
>> Postfix, SA, ClamAV, is sent to "the last hop" which does no
>> authentication.
>
> Sure, which means that the (smtp) transport used for that nexthop should
> have sender dependent authentication enabled.
>
>> I do get, I think, the point you illuminate in last your paragraph
>> that in my case, a specific inbound transport must be defined for all
>> incoming messages and this transport must not specify authentication.
>
> By not enabling sender dependent authentication for the (smtp) transport
> used to reach the internal mailstore.
>
>> However, I get a bit fuzzy about any distinction between "sender
>> dependent authentication" and "no authentication". Presumably that
>> will require some what different configuration than Wietse described?
Thanks for your continued efforts.
> Postfix attempts to use SASL authentication when:
>
> * smtp_sasl_enable=yes
> * and either
> - smtp_sender_dependent_authentication = yes and
> smtp_sasl_password_maps contains a match for the sender, OR
> - smtp_sasl_password_maps contains a match for the nexthop or
> just the underlying hostname extracted from the nexthop
> [host]:port or the like.
> Therefore your master.cf file needs to have an least one additional
> smtp-based transport, with either SASL disabled entirely, and/or
> sender-dependent authentication disabled, or perhaps a variant
> password table... Below all three are set to "discourage" use
> of SASL:
>
> noauth unix - - n - - smtp
> -o smtp_sasl_enable=no
> -o smtp_sender_dependent_authentication=no
> -o smtp_sasl_password_maps=
My initial attempts did not produce the desired result. Do I need to
set all three options or just the first? When I use all three log show invalid
comment for smtp
> With this, just make sure that deliveries to the internal mailstore
> use the "noauth" transport:
>
> internal.example noauth:[gateway.example]
This I took to be an entry in /etc/postfix/transport. Is that correct?
joe a.
>> In any event I am nagged however by what causes Postfix to attempt
> authentication,
>> for this oddball email when others sent to the same user do not, with the
> same
>> configuration.
>
> See above. You enabled authentication by enabling sender-dependent
> authentication and configuring a table with passwords specified for
> the sender addresses in question.
I still see a distinction but, let's just move on and see if it can be set to
rights.
joe a.
---------------------------------
j4computers, llc
Stone Ridge, NY 12484
845-687-3734
www.j4computers.com
---------------------------------
