Re: ignore SASL/Auth to specific server (internal exchange relay)

2018-12-13 Thread Andrey Repin 
Greetings, Jan Ceuleers!

> On 12/12/2018 20:55, Viktor Dukhovni wrote:
>>
>>> On Dec 12, 2018, at 2:48 PM, Daniel Miller  wrote:
>>>
>>> Not wanting to get in the way of the experts but this may help:
>> Indeed a nice succinct and accessible answer for non-experts.  Please
>> don't hesitate to post similarly helpful replies.
>>
> Unfortunately that answer has not made it to the list (or at least not yet)

http://postfix.1071664.n5.nabble.com/ignore-SASL-Auth-to-specific-server-internal-exchange-relay-tp98764p98779.html


-- 
With best regards,
Andrey Repin
Thursday, December 13, 2018 22:19:58

Sorry for my terrible english...

Re: ignore SASL/Auth to specific server (internal exchange relay)

2018-12-13 Thread Jan Ceuleers 
On 12/12/2018 20:55, Viktor Dukhovni wrote:
>
>> On Dec 12, 2018, at 2:48 PM, Daniel Miller  wrote:
>>
>> Not wanting to get in the way of the experts but this may help:
> Indeed a nice succinct and accessible answer for non-experts.  Please
> don't hesitate to post similarly helpful replies.
>
Unfortunately that answer has not made it to the list (or at least not yet)

Re: ignore SASL/Auth to specific server (internal exchange relay)

2018-12-13 Thread Stefan Bauer 
thank you for your help folks! Yes that indeed helped to understand the
process!

Am Mi., 12. Dez. 2018 um 20:48 Uhr schrieb Daniel Miller :

> Not wanting to get in the way of the experts but this may help:
>
> An oversimplified view of the transport map is it tells Postfix what line
> in master.cf to use for a given recipient domain (or full address).
> There's only one transport map but it can have several lines for individual
> decisions.
>
> Wietse's email told you to perform a command-line test to verify your
> transport map is setup correctly.  So do that first.
>
> The definitions in master.cf tell Postfix where to listen and where to
> send the message.  So with an explicit transport mapping, using master.cf
> you provide explicit overrides to the defaults or global settings from
> main.cf.  So if the only "special" behavior you need for the exchange
> transport is no sasl:
> exchange  unix -   -   n   -   -   smtp
>  -o smtp_sender_dependent_authentication=no
>
> Daniel
>
>
> On 12/11/2018 1:40 PM, Stefan Bauer wrote:
>
> thank you for your help!
>
> If i understood you correctly, i set in transport:
>
> domain1.deexchange:
>
> In master.cf
>
> exchange  unix -   -   n   -   -   smtp
>  -o smtp_sender_dependent_authentication=no
>  -o transport_maps=hash:/etc/postfix/transport_internal
>
> And in transport_internal
>
> domain1.desmtp:192.168.124.5:2525
>
> but this way, postfix is doing a MX-lookup for domain1.de and not
> honoring transport_internal as it seems.
>
> Is this basically the right path?
>
>
> Am Di., 11. Dez. 2018 um 21:48 Uhr schrieb Viktor Dukhovni <
> postfix-us...@dukhovni.org>:
>
>> > On Dec 11, 2018, at 3:41 PM, Stefan Bauer 
>> wrote:
>> >
>> > Can you recommend appropriate manual(s)? I dont understand what you
>> mean with separate transport.
>>
>> http://www.postfix.org/master.5.html
>> http://www.postfix.org/transport.5.html
>> http://www.postfix.org/ADDRESS_REWRITING_README.html
>> http://www.postfix.org/FILTER_README.html#advanced_filter
>>   ( Advanced content filter: sending unfiltered mail to the content
>> filter )
>>
>> Also the Postfix book by Patrick Koetter and Ralf Hildebrandt.
>>
>> --
>> Viktor.
>>
>>

Re: ignore SASL/Auth to specific server (internal exchange relay)

2018-12-12 Thread Viktor Dukhovni 



> On Dec 12, 2018, at 2:48 PM, Daniel Miller  wrote:
> 
> Not wanting to get in the way of the experts but this may help:

Indeed a nice succinct and accessible answer for non-experts.  Please
don't hesitate to post similarly helpful replies.

> An oversimplified view of the transport map is it tells Postfix what line in 
> master.cf to use for a given recipient domain (or full address).  There's 
> only one transport map but it can have several lines for individual decisions.
> 
> Wietse's email told you to perform a command-line test to verify your 
> transport map is setup correctly.  So do that first.
> 
> The definitions in master.cf tell Postfix where to listen and where to send 
> the message.  So with an explicit transport mapping, using master.cf you 
> provide explicit overrides to the defaults or global settings from main.cf.  
> So if the only "special" behavior you need for the exchange transport is no 
> sasl: 
> 
> exchange  unix -   -   n   -   -   smtp
>  -o smtp_sender_dependent_authentication=no

-- 
Viktor.

Re: ignore SASL/Auth to specific server (internal exchange relay)

2018-12-12 Thread Daniel Miller 

Not wanting to get in the way of the experts but this may help:

An oversimplified view of the transport map is it tells Postfix what 
line in master.cf to use for a given recipient domain (or full 
address).  There's only one transport map but it can have several lines 
for individual decisions.


Wietse's email told you to perform a command-line test to verify your 
transport map is setup correctly.  So do that first.


The definitions in master.cf tell Postfix where to listen and where to 
send the message.  So with an explicit transport mapping, using 
master.cf you provide explicit overrides to the defaults or global 
settings from main.cf.  So if the only "special" behavior you need for 
the exchange transport is no sasl:


exchange  unix -       -       n       -       -       smtp
 -o smtp_sender_dependent_authentication=no

Daniel

On 12/11/2018 1:40 PM, Stefan Bauer wrote:

thank you for your help!

If i understood you correctly, i set in transport:

domain1.de                exchange:

In master.cf 

exchange  unix -       -       n       -       -  smtp
 -o smtp_sender_dependent_authentication=no
 -o transport_maps=hash:/etc/postfix/transport_internal

And in transport_internal

domain1.de            smtp:192.168.124.5:2525 



but this way, postfix is doing a MX-lookup for domain1.de 
 and not honoring transport_internal as it seems.


Is this basically the right path?


Am Di., 11. Dez. 2018 um 21:48 Uhr schrieb Viktor Dukhovni 
mailto:postfix-us...@dukhovni.org>>:


> On Dec 11, 2018, at 3:41 PM, Stefan Bauer
mailto:cubew...@googlemail.com>> wrote:
>
> Can you recommend appropriate manual(s)? I dont understand what
you mean with separate transport.

http://www.postfix.org/master.5.html
http://www.postfix.org/transport.5.html
http://www.postfix.org/ADDRESS_REWRITING_README.html
http://www.postfix.org/FILTER_README.html#advanced_filter
  ( Advanced content filter: sending unfiltered mail to the
content filter )

Also the Postfix book by Patrick Koetter and Ralf Hildebrandt.

-- 
        Viktor.

Re: ignore SASL/Auth to specific server (internal exchange relay)

2018-12-12 Thread Viktor Dukhovni 
> On Dec 12, 2018, at 1:36 AM, Stefan Bauer  wrote:
> 
> i already have a transport_maps in main.cf in place:
> transport_maps=hash:/etc/postfix/transport
> 
> domain1.deexchange:
> 
> How can i set another  transport_maps setting in main.cf as you recommend?

I never recommended "another transport_maps" definition, I recommended
a table *entry* that sends mail to the non-SASL relay via  a different
transport than mail to the relays that require SASL.  If you already
have that, then all you need to do is disable per-send SASL auth for
that transport.

-- 
Viktor.

Re: ignore SASL/Auth to specific server (internal exchange relay)

2018-12-11 Thread Stefan Bauer 
i already have a transport_maps in main.cf in place:
transport_maps=hash:/etc/postfix/transport

domain1.deexchange:

How can i set another  transport_maps setting in main.cf as you recommend?

Am Mi., 12. Dez. 2018 um 00:29 Uhr schrieb Viktor Dukhovni <
postfix-us...@dukhovni.org>:

> > On Dec 11, 2018, at 4:40 PM, Stefan Bauer 
> wrote:
> >
> > exchange  unix -   -   n   -   -   smtp
> >  -o smtp_sender_dependent_authentication=no
> >  -o transport_maps=hash:/etc/postfix/transport_internal
>
> No the "transport_maps" setting goes in main.cf.  Transport
> lookups are global.
>
> See: http://www.postfix.org/OVERVIEW.html
>
> --
> Viktor.
>
>

Re: ignore SASL/Auth to specific server (internal exchange relay)

2018-12-11 Thread Viktor Dukhovni 
> On Dec 11, 2018, at 4:40 PM, Stefan Bauer  wrote:
> 
> exchange  unix -   -   n   -   -   smtp
>  -o smtp_sender_dependent_authentication=no
>  -o transport_maps=hash:/etc/postfix/transport_internal

No the "transport_maps" setting goes in main.cf.  Transport
lookups are global.

See: http://www.postfix.org/OVERVIEW.html

-- 
Viktor.

Re: ignore SASL/Auth to specific server (internal exchange relay)

2018-12-11 Thread Wietse Venema 
Stefan Bauer:
> thank you for your help!
> 
> If i understood you correctly, i set in transport:
> 
> domain1.deexchange:
> 
> In master.cf
> 
> exchange  unix -   -   n   -   -   smtp
>  -o smtp_sender_dependent_authentication=no
>  -o transport_maps=hash:/etc/postfix/transport_internal
> 
> And in transport_internal
> 
> domain1.desmtp:192.168.124.5:2525
> 
> but this way, postfix is doing a MX-lookup for domain1.de and not honoring
> transport_internal as it seems.

Transport map lookups happen before choosing the SMTP client,
therefore you made a mistake updating the transport map.

Try:
postmap -q domain1.de hash:/path/to/transport

Wietse

Re: ignore SASL/Auth to specific server (internal exchange relay)

2018-12-11 Thread Stefan Bauer 
thank you for your help!

If i understood you correctly, i set in transport:

domain1.deexchange:

In master.cf

exchange  unix -   -   n   -   -   smtp
 -o smtp_sender_dependent_authentication=no
 -o transport_maps=hash:/etc/postfix/transport_internal

And in transport_internal

domain1.desmtp:192.168.124.5:2525

but this way, postfix is doing a MX-lookup for domain1.de and not honoring
transport_internal as it seems.

Is this basically the right path?


Am Di., 11. Dez. 2018 um 21:48 Uhr schrieb Viktor Dukhovni <
postfix-us...@dukhovni.org>:

> > On Dec 11, 2018, at 3:41 PM, Stefan Bauer 
> wrote:
> >
> > Can you recommend appropriate manual(s)? I dont understand what you mean
> with separate transport.
>
> http://www.postfix.org/master.5.html
> http://www.postfix.org/transport.5.html
> http://www.postfix.org/ADDRESS_REWRITING_README.html
> http://www.postfix.org/FILTER_README.html#advanced_filter
>   ( Advanced content filter: sending unfiltered mail to the content filter
> )
>
> Also the Postfix book by Patrick Koetter and Ralf Hildebrandt.
>
> --
> Viktor.
>
>

Re: ignore SASL/Auth to specific server (internal exchange relay)

2018-12-11 Thread Viktor Dukhovni 
> On Dec 11, 2018, at 3:41 PM, Stefan Bauer  wrote:
> 
> Can you recommend appropriate manual(s)? I dont understand what you mean with 
> separate transport.

http://www.postfix.org/master.5.html
http://www.postfix.org/transport.5.html
http://www.postfix.org/ADDRESS_REWRITING_README.html
http://www.postfix.org/FILTER_README.html#advanced_filter
  ( Advanced content filter: sending unfiltered mail to the content filter )

Also the Postfix book by Patrick Koetter and Ralf Hildebrandt.

-- 
Viktor.

Re: ignore SASL/Auth to specific server (internal exchange relay)

2018-12-11 Thread Stefan Bauer 
Can you recommend appropriate manual(s)? I dont understand what you mean
with separate transport.




Am Di., 11. Dez. 2018 um 21:20 Uhr schrieb Viktor Dukhovni <
postfix-us...@dukhovni.org>:

> To use host-specific rather than sender-dependent authentication,
> you'll need a separate transport for the relay(s) in question,
> with "smtp_sender_dependent_authentication = no" for that
> transport.
>
> > On Dec 11, 2018, at 2:37 PM, Stefan Bauer 
> wrote:
> >
> > I dont see  a way to have AUTH&TLS to all of our relayhosts but not for
> this internal hosts.
> >
> > sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_maps
> > smtp_sender_dependent_authentication = yes
> > smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
> > smtp_sasl_auth_enable = yes
> > smtp_tls_security_level = may
> > smtp_sasl_security_options = noanonymous
> >
> > root@postgate01:/etc/postfix# more relayhost_maps
> > @domain1.de   [securerelay.tld]:25
> > @domain2.de   [securerelay.tld]:25
> >
>
> --
> Viktor.
>
>

Re: ignore SASL/Auth to specific server (internal exchange relay)

2018-12-11 Thread Viktor Dukhovni 
To use host-specific rather than sender-dependent authentication,
you'll need a separate transport for the relay(s) in question,
with "smtp_sender_dependent_authentication = no" for that
transport.

> On Dec 11, 2018, at 2:37 PM, Stefan Bauer  wrote:
> 
> I dont see  a way to have AUTH&TLS to all of our relayhosts but not for this 
> internal hosts.
> 
> sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_maps
> smtp_sender_dependent_authentication = yes
> smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
> smtp_sasl_auth_enable = yes
> smtp_tls_security_level = may
> smtp_sasl_security_options = noanonymous
> 
> root@postgate01:/etc/postfix# more relayhost_maps
> @domain1.de   [securerelay.tld]:25
> @domain2.de   [securerelay.tld]:25
> 

-- 
Viktor.

Re: ignore SASL/Auth to specific server (internal exchange relay)

2018-12-11 Thread Stefan Bauer 
I dont see  a way to have AUTH&TLS to all of our relayhosts but not for
this internal hosts.

sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_maps
smtp_sender_dependent_authentication = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
smtp_sasl_auth_enable = yes
smtp_tls_security_level = may
smtp_sasl_security_options = noanonymous

root@postgate01:/etc/postfix# more relayhost_maps
@domain1.de [securerelay.tld]:25
@domain2.de [securerelay.tld]:25


root@postgate01:/etc/postfix# more transport
domain1.de smtp:192.168.124.5:2525
domain2.de smtp:192.168.124.5:2525

So howto not use AUTH&TLS at all to 192.168.124.5:2525 ?


Am Di., 11. Dez. 2018 um 20:32 Uhr schrieb Wietse Venema <
wie...@porcupine.org>:

> Stefan Bauer:
> > Hi,
> >
> > we receive mails from $world and forward them to internal exchange
> server.
> >
> > Exchange is offering STARTTLS and AUTH
> >
> > root@gate01:~# telnet 192.168.124.5 2525
> > Trying 192.168.124.5...
> > Connected to 192.168.124.5.
> > Escape character is '^]'.
> > Dec 11 19:27:18 postgate01 postfix/postscreen[583]: DISCONNECT
> > [client]:57636
> > Dec 11 19:27:18 postgate01 postfix/smtp[574]: 5586D101077: to=<
> > odf...@customer.de>, relay=192.168.124.5[192.168.124.5]:2525, delay=11,
> > delays=1/0.02/10/0, dsn=4.7.3, status=undeliverable (SASL authentication
> > failed; server 192.168.124.5[192.168.124.5] said: 535 5.7.3
> Authentication
> > unsuccessful)
> >
> > how can we ignore AUTH and STARTTLS and just go on?
>
> If you don't want Postfix to send AUTH to this server,
> then do not configure Postfix to send AUTH to this server.
>
> Woeyse
>

Re: ignore SASL/Auth to specific server (internal exchange relay)

2018-12-11 Thread Wietse Venema 
Stefan Bauer:
> Hi,
> 
> we receive mails from $world and forward them to internal exchange server.
> 
> Exchange is offering STARTTLS and AUTH
> 
> root@gate01:~# telnet 192.168.124.5 2525
> Trying 192.168.124.5...
> Connected to 192.168.124.5.
> Escape character is '^]'.
> Dec 11 19:27:18 postgate01 postfix/postscreen[583]: DISCONNECT
> [client]:57636
> Dec 11 19:27:18 postgate01 postfix/smtp[574]: 5586D101077: to=<
> odf...@customer.de>, relay=192.168.124.5[192.168.124.5]:2525, delay=11,
> delays=1/0.02/10/0, dsn=4.7.3, status=undeliverable (SASL authentication
> failed; server 192.168.124.5[192.168.124.5] said: 535 5.7.3 Authentication
> unsuccessful)
> 
> how can we ignore AUTH and STARTTLS and just go on?

If you don't want Postfix to send AUTH to this server,
then do not configure Postfix to send AUTH to this server.

Woeyse

ignore SASL/Auth to specific server (internal exchange relay)

2018-12-11 Thread Stefan Bauer 
Hi,

we receive mails from $world and forward them to internal exchange server.

Exchange is offering STARTTLS and AUTH

root@gate01:~# telnet 192.168.124.5 2525
Trying 192.168.124.5...
Connected to 192.168.124.5.
Escape character is '^]'.
220 ex01 Microsoft ESMTP MAIL Service ready at Tue, 11 Dec 2018 19:07:13
+0100
ehlo cubewerk.de
250-gate01 Hello [192.168.124.251]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOWREQUEST

Postfix gets ... during address verification.

Dec 11 19:27:18 postgate01 postfix/postscreen[583]: DISCONNECT
[client]:57636
Dec 11 19:27:18 postgate01 postfix/smtp[574]: 5586D101077: to=<
odf...@customer.de>, relay=192.168.124.5[192.168.124.5]:2525, delay=11,
delays=1/0.02/10/0, dsn=4.7.3, status=undeliverable (SASL authentication
failed; server 192.168.124.5[192.168.124.5] said: 535 5.7.3 Authentication
unsuccessful)

how can we ignore AUTH and STARTTLS and just go on?

telnet shows the dialog i expect:

outgoing mails get relayed through smarthost, so this is where all the
client tls settings interfere i guess :/