Discussion:
Envelope sender address authorization not working
(too old to reply)
Niklaas Baudet von Gersdorff
2016-08-03 21:59:17 UTC
Permalink
Hello,

I try to configure "Envelope sender address authorization" as
described at

http://www.postfix.org/SASL_README.html#server_sasl_authz

but Postfix keeps complaining that the sender address is not
owned by the SASL account I login with. The account is
***@niklaas.eu while the sender address is ***@niklaas.eu.
(Configuration and logs follow below.)

Funny thing is that `postmap -q ***@niklaas.eu <ldap-config>`
gives "***@niklaas.eu" as expected, however, as seen in
/var/log/maillog below (line 7), postfix gives "maps_find:
smtpd_sender_login_maps: ***@nikaas.eu: not found".

-- $ postconf -nf
alias_maps = hash:/etc/aliases
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debug_peer_list = static:all
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_protocols = ipv4,ipv6
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
meta_directory = /usr/local/libexec/postfix
mua_recipient_restrictions = reject_sender_login_mismatch
permit_sasl_authenticated
mua_sender_login_maps = ldap:$config_directory/ldap/smtpd_sender_login_maps.cf
mydestination = localhost.$mydomain localhost
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
postscreen_upstream_proxy_protocol = haproxy
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = $config_directory/certs/mail.niklaas.eu.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_upstream_proxy_protocol = haproxy
soft_bounce = yes
unknown_local_recipient_reject_code = 550
virtual_alias_domains = ldap:$config_directory/ldap/virtual_alias_domains.cf
virtual_alias_maps = ldap:$config_directory/ldap/virtual_alias_maps.cf
virtual_mailbox_domains = niklaas.eu
virtual_mailbox_maps = ldap:$config_directory/ldap/virtual_mailbox_maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
--

-- $ posconf -Mf
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
9025 inet n - n - - smtpd
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_recipient_restrictions=$mua_recipient_restrictions
-o smtpd_sender_login_maps=$mua_sender_login_maps
-o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
--

-- /var/log/maillog
1 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: In dict_ldap_lookup
2 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: No existing connection for LDAP source /usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf, reopening
3 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_connect: Connecting to server ldap://proxy.box-local.klaas:389
4 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_connect: Actual Protocol version used is 2.
5 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_connect: Cached connection handle for LDAP source /usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf
6 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: /usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf: Searching with filter (&(objectClass=postfixUser)(mailacceptinggeneralid=***@nikaas.eu))
7 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: maps_find: smtpd_sender_login_maps: ***@nikaas.eu: not found
8 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_string: mydestination: nikaas.eu ~? localhost.box-hlm-02.niklaas.eu
9 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_string: mydestination: nikaas.eu ~? localhost
10 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_list_match: nikaas.eu: no match
11 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: In dict_ldap_lookup
12 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: Using existing connection for LDAP source /usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf
13 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: dict_ldap_lookup: /usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf: Searching with filter (&(objectClass=postfixUser)(mailacceptinggeneralid=@nikaas.eu))
14 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: maps_find: smtpd_sender_login_maps: @nikaas.eu: not found
15 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: mail_addr_find: ***@nikaas.eu -> (not found)
16 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: NOQUEUE: reject: RCPT from aftr-109-91-37-7.unity-media.net[109.91.37.7]: 453 4.7.1 <***@nikaas.eu>: Sender address rejected: not owned by user ***@niklaas.eu; from=<***@nikaas.eu> to=<***@niklaas.eu> proto=ESMTP helo=<[192.168.178.45]>
17 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: generic_checks: name=reject_authenticated_sender_login_mismatch status=2
18 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: >>> END Recipient address RESTRICTIONS <<<
19 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: generic_checks: name=reject_sender_login_mismatch status=2
20 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: >>> END Recipient address RESTRICTIONS <<<
21 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: > aftr-109-91-37-7.unity-media.net[109.91.37.7]: 453 4.7.1 <***@nikaas.eu>: Sender address rejected: not owned by user ***@niklaas.eu
22 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: watchdog_pat: 0x805c0e110
23 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: < aftr-109-91-37-7.unity-media.net[109.91.37.7]: RSET
24 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: > aftr-109-91-37-7.unity-media.net[109.91.37.7]: 250 2.0.0 Ok
25 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: watchdog_pat: 0x805c0e110
26 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: < aftr-109-91-37-7.unity-media.net[109.91.37.7]: QUIT
27 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: > aftr-109-91-37-7.unity-media.net[109.91.37.7]: 221 2.0.0 Bye
28 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_hostname: smtpd_client_event_limit_exceptions: aftr-109-91-37-7.unity-media.net ~? 10.2.8.1/32
29 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_hostaddr: smtpd_client_event_limit_exceptions: 109.91.37.7 ~? 10.2.8.1/32
30 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_hostname: smtpd_client_event_limit_exceptions: aftr-109-91-37-7.unity-media.net ~? [fd16:dcc0:f4cc:2::8:1]/128
31 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_hostaddr: smtpd_client_event_limit_exceptions: 109.91.37.7 ~? [fd16:dcc0:f4cc:2::8:1]/128
32 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_list_match: aftr-109-91-37-7.unity-media.net: no match
33 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: match_list_match: 109.91.37.7: no match
34 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: send attr request = disconnect
35 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: send attr ident = submission:109.91.37.7
36 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: private/anvil: wanted attribute: status
37 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: input attribute name: status
38 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: input attribute value: 0
39 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: private/anvil: wanted attribute: (list terminator)
40 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: input attribute name: (end)
41 Aug 3 20:16:00 mx postfix/submission/smtpd[82701]: disconnect from aftr-109-91-37-7.unity-media.net[109.91.37.7] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=7/8
--

Any help is very much appreciated.

Niklaas
Viktor Dukhovni
2016-08-03 22:07:04 UTC
Permalink
Instead of anecdotal re-interpretation of this claim, send the
actual command you used, and the actual output.
This lookup produced no results. Perhaps you're using some other
ldap table or some other lookup key.
Ditto.
--
Viktor.
Niklaas Baudet von Gersdorff
2016-08-03 22:16:48 UTC
Permalink
Post by Viktor Dukhovni
Instead of anecdotal re-interpretation of this claim, send the
actual command you used, and the actual output.
-- $ postmap -q ***@niklaas.eu ldap:/usr/local/etc/postfix/ldap/smtpd_sender_login_maps.cf
***@niklaas.eu
--
Post by Viktor Dukhovni
This lookup produced no results. Perhaps you're using some other
ldap table or some other lookup key.
[...]
Post by Viktor Dukhovni
Ditto.
I use the same lookup table and lookup key (see above) and get no
result when postfix queries OpenLDAP.

Niklaas
Viktor Dukhovni
2016-08-03 22:28:48 UTC
Permalink
Post by Niklaas Baudet von Gersdorff
Post by Viktor Dukhovni
Instead of anecdotal re-interpretation of this claim, send the
actual command you used, and the actual output.
This is not.
Post by Niklaas Baudet von Gersdorff
I use the same lookup table and lookup key (see above) and get no
result when postfix queries OpenLDAP.
Evidently the lookup keys are not the same.
--
Viktor.
Niklaas Baudet von Gersdorff
2016-08-04 06:00:34 UTC
Permalink
Post by Viktor Dukhovni
Post by Niklaas Baudet von Gersdorff
Post by Viktor Dukhovni
Instead of anecdotal re-interpretation of this claim, send the
actual command you used, and the actual output.
This is not.
Post by Niklaas Baudet von Gersdorff
I use the same lookup table and lookup key (see above) and get no
result when postfix queries OpenLDAP.
Evidently the lookup keys are not the same.
Wow, thanks a lot for spotting that! I guess it was too late when
I worked on this yesterday.

Niklaas

Loading...