postfix relay smtp authentication

On Wed, Dec 06, 2006 at 12:13:26AM +0100, Martin Fuzzey wrote:
>
> This works BUT only for a single user since the postfix version in sarge
> (2.1.5) doesn't implement the smtp_sender_dependent_authentication
> option and my ISP actually wants the correct password for each email
> address (not just a single one for all addresses associated with the
> account.

I've not used postfix, but maybe this can help. I use exim4 with a
smarthost and only use one of several accounts to send the mail. The
headers in the outgoing mail have various return/from addresses, but
we only login to the smtp host using one of those accounts. so whether
mail actually comes from bob or joe or mary, the mailserver here logs
into the smtp server as joe and then sends the message. ymmv.

A

On Wed, Dec 06, 2006 at 12:13:26AM +0100, Martin Fuzzey wrote:
> Hi,
>
> I have been succesfully running postfix on Sarge as a local mailserver
> relaying all outbound mail (from multiple internal accounts) to my ISP.
>
> However my ISP has just decided to require SMTP authentication.
>

Here is what I have done when I had an ISP that required SMTP AUTH:

# cat /etc/postfix/sasl_passwd
upstream.mail.exchange :password

# grep -r sasl_passwd /etc/postfix/
/etc/postfix/main.cf:smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

Then, make sure to run:

# postmap hash:/etc/postfix/sasl_passwd

This should leave you with a file called /etc/postfix/sasl_passwd.db
which postfix which actually use as the source of the authentication
information.

Also, make sure that the sasl_passwd and sasl_passwd.db have mode 600
and that you have libsasl2-modules installed.

Regards,

-Roberto

--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com

On Wed, Dec 06, 2006 at 12:13:26AM +0100, Martin Fuzzey wrote:
> Hi,
>
> I have been succesfully running postfix on Sarge as a local mailserver
> relaying all outbound mail (from multiple internal accounts) to my ISP.
>
> However my ISP has just decided to require SMTP authentication.

>
> So does anyone have any better ideas of how to make this work?
>
> Regards,
>
Hi Martin,
I have a few suggestions:
-check other lists at lists.debian.org that deal with exim or debian-isp?
-make a wish list bug report
-ask the Debian postfix maintainer about if its possible with the
current version to do what you want or it he/she'd consider adding it as
you may not be the only person who needs/will need this feature?
Debian seeks to make packages suited to its users needs, if enough
people need this, it may be an included option.

cheers,
Kev
--
| .''`. == Debian GNU/Linux == | my web site: |
| : :' : The Universal | debian.home.pipeline.com |
| `. `' Operating System | go to counter.li.org and |
| `- http://www.debian.org/ | be counted! #238656 |
| my keysever: pgp.mit.edu | my NPO: cfsg.org |

On Wed, Dec 06, 2006 at 12:13:26AM +0100, Martin Fuzzey wrote:
> Hi,
>
> I have been succesfully running postfix on Sarge as a local mailserver
> relaying all outbound mail (from multiple internal accounts) to my ISP.
>
> However my ISP has just decided to require SMTP authentication.
>
> I have set up SASL following the postfix documentation and the
> authentication phase succeeds, *however* postfix does not include the
> authenticated sender address in the AUTH section of the MAIL FROM
> message and my ISP is still refusing the message :((
>
> Looking at the source in src/smtp/smtp_proto.c:
> /*
> * We authenticate the local MTA only, but not the sender.
> */
> #ifdef USE_SASL_AUTH
> if (var_smtp_sasl_enable
> && (state->features & SMTP_FEATURE_AUTH)
> && state->sasl_passwd)
> vstring_strcat(next_command, " AUTH=<>");
> #endif
>
>
> I have "fixed" this with the following patch to the postfix code:
>
> --- postfix-2.1.5/src/smtp/smtp_proto.c 2006-12-04 22:08:23.000000000 +0100
> +++ postfix-2.1.5/src/smtp/smtp_proto.c.new 2006-12-04
> 22:33:35.943911483 +0100
> @@ -755,8 +755,11 @@
> #ifdef USE_SASL_AUTH
> if (var_smtp_sasl_enable
> && (state->features & SMTP_FEATURE_AUTH)
> - && state->sasl_passwd)
> - vstring_strcat(next_command, " AUTH=<>");
> + && state->sasl_passwd) {
> + // Patch MF 4/12/2006 Authenticate sender (for
> Tele2...)
> + QUOTE_ADDRESS(state->scratch, request->sender);
> + vstring_sprintf_append(next_command, "
> AUTH=<%s>", vstring_str(state->scratch));
> + }
> #endif
> next_state = SMTP_STATE_RCPT;
> break;
>
>
> This works BUT only for a single user since the postfix version in sarge
> (2.1.5) doesn't implement the smtp_sender_dependent_authentication
> option and my ISP actually wants the correct password for each email
> address (not just a single one for all addresses associated with the
> account.
>
> I've tried similarly patching the etch version of postfix - I can build
> the package but it won't install due to an unsatisified dependency on
> lsb_base (> 3.0.6)

I would post your question on the postfix-users list:
List-Post:
Especially if you are talking code patches.

--
Chris.
======
" ... the official version cannot be abandoned because the implication of
rejecting it is far too disturbing: that we are subject to a government
conspiracy of `X-Files' proportions and insidiousness."
Letter to the LA Times Magazine, September 18, 2005.

--

Martin Fuzzey wrote:
> Hi,
>
> I have been succesfully running postfix on Sarge as a local mailserver
> relaying all outbound mail (from multiple internal accounts) to my ISP.
>
> However my ISP has just decided to require SMTP authentication.
>
> I have set up SASL following the postfix documentation and the
> authentication phase succeeds, *however* postfix does not include the
> authenticated sender address in the AUTH section of the MAIL FROM
> message and my ISP is still refusing the message :((
>
...patch snipped ...
>
> This works BUT only for a single user since the postfix version in
> sarge (2.1.5) doesn't implement the
> smtp_sender_dependent_authentication option and my ISP actually wants
> the correct password for each email address (not just a single one for
> all addresses associated with the account.
>
Are you sure about that? I tested a couple of weeks ago, and mail from
me went through without trouble. If you are right, handling bounces for
your users (and mine) might become tedious. Do you have a solution?

Anyway, to get around the whole thing you can set smarthost like so, to
use the gateway for commercial customers:

relayhost = [smtp.tele2bedrift.no]

Caveat: I talked to their support-staff before setting this up, so they
may have added my IP to some "allowed senders" list. I don't think so
though.

The gateway for commercial customers does not require authentication
when you are coming from inside their network. They run spamassassin on
everything going through there, so they have managed to keep that server
off most rbls.

--
Håkon Alstadheim priv: +47 74 82 60 27
7510 Skatval mob: +47 47 35 39 38
http://alstadheim.priv.no/hakon/ job: +47 93 41 70 55

On Wed, Dec 06, 2006 at 12:13:26AM +0100, Martin Fuzzey wrote:
> I've tried similarly patching the etch version of postfix - I can build
> the package but it won't install due to an unsatisified dependency on
> lsb_base (> 3.0.6)

Get the backport of lsb_base off backports.org.

--
Pigeon

Be kind to pigeons - - Pigeon's Nest: http://pigeonsnest.co.uk/
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x21C61F7F