Postfix SASL auth not working
 

Hi,

I've been having a really hard time with this; maybe someone here can help. I'm getting relay access denied to an email outside of my domain. It seems the passwords are authenticating because I'm not getting invalid password prompts.

### BEGIN POSTFIX CONF ###

# postconf -n
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
mailbox_size_limit = 0
message_size_limit = 50240000
mydomain = mycompany.com
myhostname = myhost.mycompany.com
mynetworks = 127.0.0.0/8,192.168.2.0/24,10.0.0.0/24,hash:/etc/postfix/
pop-before-smtp
myorigin = thrud.alliantinternet.com
sender_bcc_maps = hash:/etc/postfix/sender_bcc
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname NO UCE ESMTP myhost.mycompany.com
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, hash:/etc/postfix/pop-before-smtp
smtpd_delay_reject = no
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, hash:/etc/postfix/sender_access
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:8
virtual_mailbox_base = /var/spool/postfix/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 500000000
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 107
virtual_transport = virtual
virtual_uid_maps = static:107

### END POSTFIX CONF ###

If you need anything else to work with, let me know.

These are the additional items my config has that yours doesn't (differs from yours significantly.)
There are good instructions for testing smtp-auth from command line at http://qmail.jms1.net/test-auth.shtml including how to do it using tls.

Edit: Also make sure you remembered to install the required sasl items-- cyrus-sasl-* (more or a less.)

The difference I see here is that you added

tls_daemon_random_source = dev:/dev/urandom
smtpd_tls_auth_only

You also have separate ssl keyfiles. Other posts I've seen use the same file for all three properties. Is there a significance to having them vary? How did you generate all three?

Could the issue also possibly be in one of these three lines?

smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, hash:/etc/postfix/pop-before-smtp, check_sender_access hash:/etc/postfix/sender_access
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_recipient_access hash:/etc/postfix/recipient_access
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access

is permit_sasl_authenticated required in all three lines? I'm thinking it may be unnecessary (and counterproductive) in the smtpd_sender_restrictions. In the logs, I see "certificate verification failed" for IPs/emails that we deliver mail to, which leads me to believe I need to modify something in those 3 lines above, no?