Discussion:
postfix relay smtp authentication
(too old to reply)
Martin Fuzzey
2006-12-05 23:13:26 UTC
Permalink
Hi,

I have been succesfully running postfix on Sarge as a local mailserver
relaying all outbound mail (from multiple internal accounts) to my ISP.

However my ISP has just decided to require SMTP authentication.

I have set up SASL following the postfix documentation and the
authentication phase succeeds, *however* postfix does not include the
authenticated sender address in the AUTH section of the MAIL FROM
message and my ISP is still refusing the message :((

Looking at the source in src/smtp/smtp_proto.c:
/*
* We authenticate the local MTA only, but not the sender.
*/
#ifdef USE_SASL_AUTH
if (var_smtp_sasl_enable
&& (state->features & SMTP_FEATURE_AUTH)
&& state->sasl_passwd)
vstring_strcat(next_command, " AUTH=<>");
#endif


I have "fixed" this with the following patch to the postfix code:

--- postfix-2.1.5/src/smtp/smtp_proto.c 2006-12-04 22:08:23.000000000 +0100
+++ postfix-2.1.5/src/smtp/smtp_proto.c.new 2006-12-04
22:33:35.943911483 +0100
@@ -755,8 +755,11 @@
#ifdef USE_SASL_AUTH
if (var_smtp_sasl_enable
&& (state->features & SMTP_FEATURE_AUTH)
- && state->sasl_passwd)
- vstring_strcat(next_command, " AUTH=<>");
+ && state->sasl_passwd) {
+ // Patch MF 4/12/2006 Authenticate sender (for
Tele2...)
+ QUOTE_ADDRESS(state->scratch, request->sender);
+ vstring_sprintf_append(next_command, "
AUTH=<%s>", vstring_str(state->scratch));
+ }
#endif
next_state = SMTP_STATE_RCPT;
break;


This works BUT only for a single user since the postfix version in sarge
(2.1.5) doesn't implement the smtp_sender_dependent_authentication
option and my ISP actually wants the correct password for each email
address (not just a single one for all addresses associated with the
account.

I've tried similarly patching the etch version of postfix - I can build
the package but it won't install due to an unsatisified dependency on
lsb_base (> 3.0.6)

So does anyone have any better ideas of how to make this work?

Regards,

Martin
Andrew Sackville-West
2006-12-05 23:56:06 UTC
Permalink
Post by Martin Fuzzey
This works BUT only for a single user since the postfix version in sarge
(2.1.5) doesn't implement the smtp_sender_dependent_authentication
option and my ISP actually wants the correct password for each email
address (not just a single one for all addresses associated with the
account.
I've not used postfix, but maybe this can help. I use exim4 with a
smarthost and only use one of several accounts to send the mail. The
headers in the outgoing mail have various return/from addresses, but
we only login to the smtp host using one of those accounts. so whether
mail actually comes from bob or joe or mary, the mailserver here logs
into the smtp server as joe and then sends the message. ymmv.

A
Roberto C. Sanchez
2006-12-06 00:55:39 UTC
Permalink
Post by Martin Fuzzey
Hi,
I have been succesfully running postfix on Sarge as a local mailserver
relaying all outbound mail (from multiple internal accounts) to my ISP.
However my ISP has just decided to require SMTP authentication.
Here is what I have done when I had an ISP that required SMTP AUTH:

# cat /etc/postfix/sasl_passwd
upstream.mail.exchange ***@isp.tld:password

# grep -r sasl_passwd /etc/postfix/
/etc/postfix/main.cf:smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

Then, make sure to run:

# postmap hash:/etc/postfix/sasl_passwd

This should leave you with a file called /etc/postfix/sasl_passwd.db
which postfix which actually use as the source of the authentication
information.

Also, make sure that the sasl_passwd and sasl_passwd.db have mode 600
and that you have libsasl2-modules installed.

Regards,

-Roberto
--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com
Ron Johnson
2006-12-06 03:27:45 UTC
Permalink
Post by Roberto C. Sanchez
Post by Martin Fuzzey
Hi,
I have been succesfully running postfix on Sarge as a local mailserver
relaying all outbound mail (from multiple internal accounts) to my ISP.
However my ISP has just decided to require SMTP authentication.
# cat /etc/postfix/sasl_passwd
Can you have multiple entries, one per user?
Post by Roberto C. Sanchez
# grep -r sasl_passwd /etc/postfix/
/etc/postfix/main.cf:smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# postmap hash:/etc/postfix/sasl_passwd
This should leave you with a file called /etc/postfix/sasl_passwd.db
which postfix which actually use as the source of the authentication
information.
Also, make sure that the sasl_passwd and sasl_passwd.db have mode 600
So the password would be in cleartext?
Post by Roberto C. Sanchez
and that you have libsasl2-modules installed.
- --
Ron Johnson, Jr.
Jefferson LA USA

Is "common sense" really valid?
For example, it is "common sense" to white-power racists that
whites are superior to blacks, and that those with brown skins
are mud people.
However, that "common sense" is obviously wrong.
Roberto C. Sanchez
2006-12-06 03:41:28 UTC
Permalink
Post by Ron Johnson
Post by Roberto C. Sanchez
# cat /etc/postfix/sasl_passwd
Can you have multiple entries, one per user?
I don't think so. You can check the docs to be sure, though.
Post by Ron Johnson
Post by Roberto C. Sanchez
# grep -r sasl_passwd /etc/postfix/
/etc/postfix/main.cf:smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# postmap hash:/etc/postfix/sasl_passwd
This should leave you with a file called /etc/postfix/sasl_passwd.db
which postfix which actually use as the source of the authentication
information.
Also, make sure that the sasl_passwd and sasl_passwd.db have mode 600
So the password would be in cleartext?
Yes. I'm not aware of another to do this, which is why I don't like it.
Post by Ron Johnson
Post by Roberto C. Sanchez
and that you have libsasl2-modules installed.
Regards,

-Roberto
--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com
T
2006-12-06 04:58:26 UTC
Permalink
Post by Ron Johnson
Post by Roberto C. Sanchez
# cat /etc/postfix/sasl_passwd
Can you have multiple entries, one per user?
From
http://www.k2.on.lk/fourm/viewtopic.php?t=30

"u can list many servers as you like with defrant passwords and usernames
if you have tranport maps for domains"

But I don't understand what exactly does it means. :-(
--
Tong (remove underscore(s) to reply)
http://xpt.sourceforge.net/
--
To UNSUBSCRIBE, email to debian-user-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Roberto C. Sanchez
2006-12-06 05:14:54 UTC
Permalink
Post by T
Post by Ron Johnson
Post by Roberto C. Sanchez
# cat /etc/postfix/sasl_passwd
Can you have multiple entries, one per user?
From
http://www.k2.on.lk/fourm/viewtopic.php?t=30
"u can list many servers as you like with defrant passwords and usernames
if you have tranport maps for domains"
But I don't understand what exactly does it means. :-(
A transport map looks something like this:

server.tld smtp:[upstream.mail.exchange]
.server.other.tld smtp:[other.mail.exchange]

What you are referring to is the ability to have something like this in
the sasl_passwd file:

upstream.mail.exchange ***@some.isp.tld:password
other.mail.exchange ***@other.isp.tld:password

Where a different username/password is used for different mail servers.

Regards,

-Roberto
--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com
T
2006-12-06 04:51:45 UTC
Permalink
Post by Martin Fuzzey
I have been succesfully running postfix on Sarge as a local mailserver
relaying all outbound mail (from multiple internal accounts) to my ISP.
However my ISP has just decided to require SMTP authentication.
[...]
Also, make sure that you have libsasl2-modules installed.
That's the only extra package required for the OP's change?

Do you have the following packages in the system as well?

postfix-tls libsasl-modules-plain sasl-bin

thanks
--
Tong (remove underscore(s) to reply)
http://xpt.sourceforge.net/
--
To UNSUBSCRIBE, email to debian-user-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
T
2006-12-06 04:55:25 UTC
Permalink
Post by Roberto C. Sanchez
Post by Martin Fuzzey
I have been succesfully running postfix on Sarge as a local mailserver
relaying all outbound mail (from multiple internal accounts) to my ISP.
However my ISP has just decided to require SMTP authentication.
# cat /etc/postfix/sasl_passwd
# grep -r sasl_passwd /etc/postfix/
/etc/postfix/main.cf:smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# postmap hash:/etc/postfix/sasl_passwd
what's the output of following command in your system?

grep smtp_sasl /etc/postfix/main.cf
--
Tong (remove underscore(s) to reply)
http://xpt.sourceforge.net/
--
To UNSUBSCRIBE, email to debian-user-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Roberto C. Sanchez
2006-12-06 05:12:30 UTC
Permalink
Post by T
what's the output of following command in your system?
grep smtp_sasl /etc/postfix/main.cf
$ grep smtp_sasl /etc/postfix/main.cf
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =


Regards,

-Roberto
--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com
Martin Fuzzey
2006-12-07 22:11:37 UTC
Permalink
Thank you for reply.
I have indeed set up SASL authentication as you describe and the actual
authentication (which occurs at each connection to the remote SMTP
server) works fine.

The problems are :
1) My ISP doesn't like *empty* AUTH=<> in the "MAIL FROM:" field of
the envelope. They *do* accept any non empty address as well as no AUTH
option.

As this is hardcoded into postfix I can see no solution to this other
than a patch

2) The MAIL FROM: address in the *envelope* has to be associated with
the same account as the username,password pair given to SASL. The from
address in the *header* can be something else.

This could be fixed by address rewriting but I can't see how (in postfix
2.1) to rewrite the envelope sender address without modifying the header
sender (as I would like the recipient to see the real sender). It seems
postfix 2.3 can do this but it also supports per sender SASL
authentication which is probably simpler.
Snip
Post by Roberto C. Sanchez
# cat /etc/postfix/sasl_passwd
-Roberto
Regards,

Martin
Kevin Mark
2006-12-07 00:32:06 UTC
Permalink
Post by Martin Fuzzey
Hi,
I have been succesfully running postfix on Sarge as a local mailserver
relaying all outbound mail (from multiple internal accounts) to my ISP.
However my ISP has just decided to require SMTP authentication.
<snip>
Post by Martin Fuzzey
So does anyone have any better ideas of how to make this work?
Regards,
Hi Martin,
I have a few suggestions:
-check other lists at lists.debian.org that deal with exim or debian-isp?
-make a wish list bug report
-ask the Debian postfix maintainer about if its possible with the
current version to do what you want or it he/she'd consider adding it as
you may not be the only person who needs/will need this feature?
Debian seeks to make packages suited to its users needs, if enough
people need this, it may be an included option.

cheers,
Kev
--
| .''`. == Debian GNU/Linux == | my web site: |
| : :' : The Universal | debian.home.pipeline.com |
| `. `' Operating System | go to counter.li.org and |
| `- http://www.debian.org/ | be counted! #238656 |
| my keysever: pgp.mit.edu | my NPO: cfsg.org |
Lionel Crine
2006-12-07 12:15:20 UTC
Permalink
Hi,

To use your ISP as a relay using authentication, you should use SASL.

You can find your more information here :
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html


Lionel
--
To UNSUBSCRIBE, email to debian-user-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Chris Bannister
2006-12-11 08:49:51 UTC
Permalink
Post by Martin Fuzzey
Hi,
I have been succesfully running postfix on Sarge as a local mailserver
relaying all outbound mail (from multiple internal accounts) to my ISP.
However my ISP has just decided to require SMTP authentication.
I have set up SASL following the postfix documentation and the
authentication phase succeeds, *however* postfix does not include the
authenticated sender address in the AUTH section of the MAIL FROM
message and my ISP is still refusing the message :((
/*
* We authenticate the local MTA only, but not the sender.
*/
#ifdef USE_SASL_AUTH
if (var_smtp_sasl_enable
&& (state->features & SMTP_FEATURE_AUTH)
&& state->sasl_passwd)
vstring_strcat(next_command, " AUTH=<>");
#endif
--- postfix-2.1.5/src/smtp/smtp_proto.c 2006-12-04 22:08:23.000000000 +0100
+++ postfix-2.1.5/src/smtp/smtp_proto.c.new 2006-12-04
22:33:35.943911483 +0100
@@ -755,8 +755,11 @@
#ifdef USE_SASL_AUTH
if (var_smtp_sasl_enable
&& (state->features & SMTP_FEATURE_AUTH)
- && state->sasl_passwd)
- vstring_strcat(next_command, " AUTH=<>");
+ && state->sasl_passwd) {
+ // Patch MF 4/12/2006 Authenticate sender (for
Tele2...)
+ QUOTE_ADDRESS(state->scratch, request->sender);
+ vstring_sprintf_append(next_command, "
AUTH=<%s>", vstring_str(state->scratch));
+ }
#endif
next_state = SMTP_STATE_RCPT;
break;
This works BUT only for a single user since the postfix version in sarge
(2.1.5) doesn't implement the smtp_sender_dependent_authentication
option and my ISP actually wants the correct password for each email
address (not just a single one for all addresses associated with the
account.
I've tried similarly patching the etch version of postfix - I can build
the package but it won't install due to an unsatisified dependency on
lsb_base (> 3.0.6)
I would post your question on the postfix-users list:
List-Post: <mailto:postfix-***@postfix.org>
Especially if you are talking code patches.
--
Chris.
======
" ... the official version cannot be abandoned because the implication of
rejecting it is far too disturbing: that we are subject to a government
conspiracy of `X-Files' proportions and insidiousness."
Letter to the LA Times Magazine, September 18, 2005.
Håkon Alstadheim
2006-12-11 10:28:36 UTC
Permalink
Post by Martin Fuzzey
Hi,
I have been succesfully running postfix on Sarge as a local mailserver
relaying all outbound mail (from multiple internal accounts) to my ISP.
However my ISP has just decided to require SMTP authentication.
I have set up SASL following the postfix documentation and the
authentication phase succeeds, *however* postfix does not include the
authenticated sender address in the AUTH section of the MAIL FROM
message and my ISP is still refusing the message :((
...patch snipped ...
Post by Martin Fuzzey
This works BUT only for a single user since the postfix version in
sarge (2.1.5) doesn't implement the
smtp_sender_dependent_authentication option and my ISP actually wants
the correct password for each email address (not just a single one for
all addresses associated with the account.
Are you sure about that? I tested a couple of weeks ago, and mail from
me went through without trouble. If you are right, handling bounces for
your users (and mine) might become tedious. Do you have a solution?

Anyway, to get around the whole thing you can set smarthost like so, to
use the gateway for commercial customers:

relayhost = [smtp.tele2bedrift.no]

Caveat: I talked to their support-staff before setting this up, so they
may have added my IP to some "allowed senders" list. I don't think so
though.

The gateway for commercial customers does not require authentication
when you are coming from inside their network. They run spamassassin on
everything going through there, so they have managed to keep that server
off most rbls.
--
Håkon Alstadheim priv: +47 74 82 60 27
7510 Skatval mob: +47 47 35 39 38
http://alstadheim.priv.no/hakon/ job: +47 93 41 70 55
Pigeon
2006-12-12 20:00:53 UTC
Permalink
Post by Martin Fuzzey
I've tried similarly patching the etch version of postfix - I can build
the package but it won't install due to an unsatisified dependency on
lsb_base (> 3.0.6)
Get the backport of lsb_base off backports.org.
--
Pigeon

Be kind to pigeons - - Pigeon's Nest: http://pigeonsnest.co.uk/
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x21C61F7F
Continue reading on narkive:
Loading...