Niklaas Baudet von Gersdorff
2016-08-03 21:59:17 UTC
Hello,
I try to configure "Envelope sender address authorization" as
described at
http://www.postfix.org/SASL_README.html#server_sasl_authz
but Postfix keeps complaining that the sender address is not
owned by the SASL account I login with. The account is
***@niklaas.eu while the sender address is ***@niklaas.eu.
(Configuration and logs follow below.)
Funny thing is that `postmap -q ***@niklaas.eu <ldap-config>`
gives "***@niklaas.eu" as expected, however, as seen in
/var/log/maillog below (line 7), postfix gives "maps_find:
smtpd_sender_login_maps: ***@nikaas.eu: not found".
-- $ postconf -nf
alias_maps = hash:/etc/aliases
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debug_peer_list = static:all
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_protocols = ipv4,ipv6
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
meta_directory = /usr/local/libexec/postfix
mua_recipient_restrictions = reject_sender_login_mismatch
permit_sasl_authenticated
mua_sender_login_maps = ldap:$config_directory/ldap/smtpd_sender_login_maps.cf
mydestination = localhost.$mydomain localhost
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
postscreen_upstream_proxy_protocol = haproxy
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = $config_directory/certs/mail.niklaas.eu.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_upstream_proxy_protocol = haproxy
soft_bounce = yes
unknown_local_recipient_reject_code = 550
virtual_alias_domains = ldap:$config_directory/ldap/virtual_alias_domains.cf
virtual_alias_maps = ldap:$config_directory/ldap/virtual_alias_maps.cf
virtual_mailbox_domains = niklaas.eu
virtual_mailbox_maps = ldap:$config_directory/ldap/virtual_mailbox_maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
--
-- $ posconf -Mf
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
9025 inet n - n - - smtpd
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_recipient_restrictions=$mua_recipient_restrictions
-o smtpd_sender_login_maps=$mua_sender_login_maps
-o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
--
-- /var/log/maillog
1 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: In dict_ldap_lookup
2 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: No existing connection for LDAP source /usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf, reopening
3 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_connect: Connecting to server ldap://proxy.box-local.klaas:389
4 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_connect: Actual Protocol version used is 2.
5 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_connect: Cached connection handle for LDAP source /usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf
6 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: /usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf: Searching with filter (&(objectClass=postfixUser)(mailacceptinggeneralid=***@nikaas.eu))
7 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: maps_find: smtpd_sender_login_maps: ***@nikaas.eu: not found
8 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_string: mydestination: nikaas.eu ~? localhost.box-hlm-02.niklaas.eu
9 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_string: mydestination: nikaas.eu ~? localhost
10 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_list_match: nikaas.eu: no match
11 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: In dict_ldap_lookup
12 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: Using existing connection for LDAP source /usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf
13 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: /usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf: Searching with filter (&(objectClass=postfixUser)(mailacceptinggeneralid=@nikaas.eu))
14 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: maps_find: smtpd_sender_login_maps: @nikaas.eu: not found
15 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: mail_addr_find: ***@nikaas.eu -> (not found)
16 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: NOQUEUE: reject: RCPT from aftr-109-91-37-7.unity-media.net[109.91.37.7]: 453 4.7.1 <***@nikaas.eu>: Sender address rejected: not owned by user ***@niklaas.eu; from=<***@nikaas.eu> to=<***@niklaas.eu> proto=ESMTP helo=<[192.168.178.45]>
17 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: generic_checks: name=reject_authenticated_sender_login_mismatch status=2
18 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: >>> END Recipient address RESTRICTIONS <<<
19 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: generic_checks: name=reject_sender_login_mismatch status=2
20 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: >>> END Recipient address RESTRICTIONS <<<
21 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: > aftr-109-91-37-7.unity-media.net[109.91.37.7]: 453 4.7.1 <***@nikaas.eu>: Sender address rejected: not owned by user ***@niklaas.eu
22 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: watchdog_pat: 0x805c0e110
23 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: < aftr-109-91-37-7.unity-media.net[109.91.37.7]: RSET
24 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: > aftr-109-91-37-7.unity-media.net[109.91.37.7]: 250 2.0.0 Ok
25 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: watchdog_pat: 0x805c0e110
26 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: < aftr-109-91-37-7.unity-media.net[109.91.37.7]: QUIT
27 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: > aftr-109-91-37-7.unity-media.net[109.91.37.7]: 221 2.0.0 Bye
28 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_hostname: smtpd_client_event_limit_exceptions: aftr-109-91-37-7.unity-media.net ~? 10.2.8.1/32
29 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_hostaddr: smtpd_client_event_limit_exceptions: 109.91.37.7 ~? 10.2.8.1/32
30 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_hostname: smtpd_client_event_limit_exceptions: aftr-109-91-37-7.unity-media.net ~? [fd16:dcc0:f4cc:2::8:1]/128
31 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_hostaddr: smtpd_client_event_limit_exceptions: 109.91.37.7 ~? [fd16:dcc0:f4cc:2::8:1]/128
32 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_list_match: aftr-109-91-37-7.unity-media.net: no match
33 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_list_match: 109.91.37.7: no match
34 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: send attr request = disconnect
35 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: send attr ident = submission:109.91.37.7
36 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: private/anvil: wanted attribute: status
37 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: input attribute name: status
38 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: input attribute value: 0
39 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: private/anvil: wanted attribute: (list terminator)
40 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: input attribute name: (end)
41 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: disconnect from aftr-109-91-37-7.unity-media.net[109.91.37.7] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=7/8
--
Any help is very much appreciated.
Niklaas
I try to configure "Envelope sender address authorization" as
described at
http://www.postfix.org/SASL_README.html#server_sasl_authz
but Postfix keeps complaining that the sender address is not
owned by the SASL account I login with. The account is
***@niklaas.eu while the sender address is ***@niklaas.eu.
(Configuration and logs follow below.)
Funny thing is that `postmap -q ***@niklaas.eu <ldap-config>`
gives "***@niklaas.eu" as expected, however, as seen in
/var/log/maillog below (line 7), postfix gives "maps_find:
smtpd_sender_login_maps: ***@nikaas.eu: not found".
-- $ postconf -nf
alias_maps = hash:/etc/aliases
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debug_peer_list = static:all
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_protocols = ipv4,ipv6
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
meta_directory = /usr/local/libexec/postfix
mua_recipient_restrictions = reject_sender_login_mismatch
permit_sasl_authenticated
mua_sender_login_maps = ldap:$config_directory/ldap/smtpd_sender_login_maps.cf
mydestination = localhost.$mydomain localhost
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
postscreen_upstream_proxy_protocol = haproxy
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = $config_directory/certs/mail.niklaas.eu.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_upstream_proxy_protocol = haproxy
soft_bounce = yes
unknown_local_recipient_reject_code = 550
virtual_alias_domains = ldap:$config_directory/ldap/virtual_alias_domains.cf
virtual_alias_maps = ldap:$config_directory/ldap/virtual_alias_maps.cf
virtual_mailbox_domains = niklaas.eu
virtual_mailbox_maps = ldap:$config_directory/ldap/virtual_mailbox_maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
--
-- $ posconf -Mf
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
9025 inet n - n - - smtpd
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_recipient_restrictions=$mua_recipient_restrictions
-o smtpd_sender_login_maps=$mua_sender_login_maps
-o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
--
-- /var/log/maillog
1 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: In dict_ldap_lookup
2 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: No existing connection for LDAP source /usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf, reopening
3 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_connect: Connecting to server ldap://proxy.box-local.klaas:389
4 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_connect: Actual Protocol version used is 2.
5 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_connect: Cached connection handle for LDAP source /usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf
6 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: /usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf: Searching with filter (&(objectClass=postfixUser)(mailacceptinggeneralid=***@nikaas.eu))
7 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: maps_find: smtpd_sender_login_maps: ***@nikaas.eu: not found
8 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_string: mydestination: nikaas.eu ~? localhost.box-hlm-02.niklaas.eu
9 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_string: mydestination: nikaas.eu ~? localhost
10 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_list_match: nikaas.eu: no match
11 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: In dict_ldap_lookup
12 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: Using existing connection for LDAP source /usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf
13 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: /usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf: Searching with filter (&(objectClass=postfixUser)(mailacceptinggeneralid=@nikaas.eu))
14 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: maps_find: smtpd_sender_login_maps: @nikaas.eu: not found
15 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: mail_addr_find: ***@nikaas.eu -> (not found)
16 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: NOQUEUE: reject: RCPT from aftr-109-91-37-7.unity-media.net[109.91.37.7]: 453 4.7.1 <***@nikaas.eu>: Sender address rejected: not owned by user ***@niklaas.eu; from=<***@nikaas.eu> to=<***@niklaas.eu> proto=ESMTP helo=<[192.168.178.45]>
17 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: generic_checks: name=reject_authenticated_sender_login_mismatch status=2
18 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: >>> END Recipient address RESTRICTIONS <<<
19 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: generic_checks: name=reject_sender_login_mismatch status=2
20 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: >>> END Recipient address RESTRICTIONS <<<
21 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: > aftr-109-91-37-7.unity-media.net[109.91.37.7]: 453 4.7.1 <***@nikaas.eu>: Sender address rejected: not owned by user ***@niklaas.eu
22 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: watchdog_pat: 0x805c0e110
23 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: < aftr-109-91-37-7.unity-media.net[109.91.37.7]: RSET
24 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: > aftr-109-91-37-7.unity-media.net[109.91.37.7]: 250 2.0.0 Ok
25 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: watchdog_pat: 0x805c0e110
26 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: < aftr-109-91-37-7.unity-media.net[109.91.37.7]: QUIT
27 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: > aftr-109-91-37-7.unity-media.net[109.91.37.7]: 221 2.0.0 Bye
28 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_hostname: smtpd_client_event_limit_exceptions: aftr-109-91-37-7.unity-media.net ~? 10.2.8.1/32
29 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_hostaddr: smtpd_client_event_limit_exceptions: 109.91.37.7 ~? 10.2.8.1/32
30 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_hostname: smtpd_client_event_limit_exceptions: aftr-109-91-37-7.unity-media.net ~? [fd16:dcc0:f4cc:2::8:1]/128
31 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_hostaddr: smtpd_client_event_limit_exceptions: 109.91.37.7 ~? [fd16:dcc0:f4cc:2::8:1]/128
32 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_list_match: aftr-109-91-37-7.unity-media.net: no match
33 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_list_match: 109.91.37.7: no match
34 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: send attr request = disconnect
35 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: send attr ident = submission:109.91.37.7
36 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: private/anvil: wanted attribute: status
37 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: input attribute name: status
38 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: input attribute value: 0
39 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: private/anvil: wanted attribute: (list terminator)
40 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: input attribute name: (end)
41 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: disconnect from aftr-109-91-37-7.unity-media.net[109.91.37.7] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=7/8
--
Any help is very much appreciated.
Niklaas