Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 460226 - mail-mta/postfix not working with dovecot-sasl
Summary: mail-mta/postfix not working with dovecot-sasl
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Linux bug wranglers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-04 08:11 UTC by Florian Klink
Modified: 2013-03-05 20:37 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Klink 2013-03-04 08:11:01 UTC 
After uprading from postfix-2.9.6 to 2.10.0, authentificated clients are not allowed to send mails for relaying anymore.

smtp_sasl_security_options =noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/server.crt
smtpd_tls_key_file = /etc/ssl/server.key
smtpd_tls_CAfile = /etc/ssl/ca.crt

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination


but when debugging, permit_sasl_authenticated is not checked at all inside recipient access restrictions:

hostname postfix/smtpd[2052]: >>> START Recipient address RESTRICTIONS <<<
hostname postfix/smtpd[2052]: generic_checks: name=permit_mynetworks
hostname postfix/smtpd[2052]: permit_mynetworks: pCLIENT.dip.t-dialin.net xx.xxx.xxx.x
hostname postfix/smtpd[2052]: match_hostname: pCLIENT.dip.t-dialin.net ~? 127.0.0.0/8
hostname postfix/smtpd[2052]: match_hostaddr: xx.xxx.xxx.x ~? 127.0.0.0/8
hostname postfix/smtpd[2052]: match_hostname: pCLIENT.dip.t-dialin.net ~? [::1]/128
hostname postfix/smtpd[2052]: match_hostaddr: xx.xxx.xxx.x ~? [::1]/128
hostname postfix/smtpd[2052]: match_hostname: pCLIENT.dip.t-dialin.net ~? 10.9.0.0/24
hostname postfix/smtpd[2052]: match_hostaddr: xx.xxx.xxx.x ~? 10.9.0.0/24
hostname postfix/smtpd[2052]: match_list_match: pCLIENT.dip.t-dialin.net: no match
hostname postfix/smtpd[2052]: match_list_match: xx.xxx.xxx.x: no match
hostname postfix/smtpd[2052]: generic_checks: name=permit_mynetworks status=0
hostname postfix/smtpd[2052]: generic_checks: name=reject_unauth_destination
hostname postfix/smtpd[2052]: reject_unauth_destination: somaddress@gmail.com
hostname postfix/smtpd[2052]: permit_auth_destination: somaddress@gmail.com
hostname postfix/smtpd[2052]: ctable_locate: leave existing entry key somaddress@gmail.com
Mar  4 08:52:25 asterix postfix/smtpd[2052]: NOQUEUE: reject: RCPT from pCLIENT.dip.t-dialin.net[xx.xxx.xxx.x]: 554 5.7.1 <somaddress@gmail.com>: Relay access denied; hostname to=<somaddress@gmail.com> proto=ESMTP helo=<[192.168.0.141]>
hostname postfix/smtpd[2052]: generic_checks: name=reject_unauth_destination status=2
hostname postfix/smtpd[2052]: >>> END Recipient address RESTRICTIONS <<<


After downgrading back to postfix-2.9.6 again, everything works as before.

Reproducible: Always
Comment 1 Brian Evans (RETIRED) gentoo-dev 2013-03-05 13:52:04 UTC 
This looks like a configuration issue.

smtpd_relay_restrictions was introduced in 2.10 to do exactly as you expect.
http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions

To achieve backwards compatibilty, smtpd_relay_restrictions must be set to empty instead of the default "permit_mynetworks, reject_unauth_destination"

In your case, if you change smtpd_recipient_restrictions to smtpd_relay_restrictions, it should work.
Comment 2 Florian Klink 2013-03-05 20:37:02 UTC 
That worked for me. Thanks!