0

I want to secure a relay with sasl.

saslauthd works

testsaslauthd -u weberjn -p ***
0: OK "Success."

Tried smtpd_relay_restrictions from the SMTPD_ACCESS_README:

# Relay control (Postfix 2.10 and later): local clients and
# authenticated clients may specify any destination domain.
smtpd_relay_restrictions = permit_mynetworks, 
    permit_sasl_authenticated,
    reject_unauth_destination

This works, but unfortunately a mail is accepted even if the client password is deliberately wrong.

How can I fix this?

And I guess, status=0 is failed? because the client is not in mynetworks

postfix/smtpd[54754]: generic_checks: name=permit_mynetworks status=0
postfix/smtpd[54754]: generic_checks: name=permit_sasl_authenticated
postfix/smtpd[54754]: generic_checks: name=permit_sasl_authenticated status=0

Can I debug the communication between postfix and the saslauthd socket?

As requested:

cat smtpd.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
log_level: 7

postconf -n | grep smtpd
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

postconf -d | grep cyr
cyrus_sasl_config_path =
lmtp_sasl_type = cyrus
send_cyrus_sasl_authzid = no
smtp_sasl_type = cyrus
smtpd_sasl_type = cyrus
3
  • I assume you mean Cyrus SASL, e.g. smtpd_sasl_type is set to cyrus. Please, append /usr/lib/sasl2/smtpd.conf, /etc/sasl2/smtpd.conf, or whatever file is used in your environment (e.g. if you changed smtpd_sasl_path and cyrus_sasl_config_path, the name of the file will be different). It is reasonable to append postconf -n too for us to know your effective Postfix configuration. Commented Apr 23 at 4:31
  • ran saslauthd -d .. it doesn't even get called
    – weberjn
    Commented Apr 23 at 20:12
  • Anyway, I gave up and protected port 25 with the firewall. I have only few hosts I send mail from.
    – weberjn
    Commented Apr 23 at 20:14

0

You must log in to answer this question.

Browse other questions tagged .