LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 04-04-2008, 08:01 AM   #1
aravind1024004
Member
 
Registered: Mar 2008
Posts: 47

Rep: Reputation: 15
SMTP authentication in postfix


hi,

I had configured smtp authentication in postfix mailserver.
the postfix version which am using is postfix 2.2
and for smtp authentication i use cyrus-sasl 2.1 version
And i had configured my client in MS outlook.
There was a option in MS Outlook that my outgoing(SMTP) server
requires authentication.
If i select this option in my outlook,and when i try to send mail from
any user
it is prompting for password.By giving the password i can able to send
mail.

But when i de-select the option in Outlook ie. my outgoing(SMTP)
server requires authentication.
its not asking for password so that any user can send mail to my
mailserver.

Could anyone plz say how to restrict the unknown sender to send mail,
or if any unknown sender
tries to send mail it must prompt for password.

This is my configuration paramters

[root@experts ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
fallback_relay = $mydomain
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = 151.2.119.150
mydomain = linux.com
myhostname = experts.linux.com
mynetworks = 151.2.0.0/16, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
unknown_local_recipient_reject_code = 550
 
Old 04-05-2008, 01:37 AM   #2
NaCo
Member
 
Registered: Jun 2002
Location: L.A.
Distribution: Fedora
Posts: 46

Rep: Reputation: 15
Check your smtpd.conf

Hi,

What do you have in you smtpd.conf ?

Make sure you do not have anonymous in the mech_list parameter.

This might be the reason.

best regards

Angel
 
Old 04-05-2008, 11:38 PM   #3
aravind1024004
Member
 
Registered: Mar 2008
Posts: 47

Original Poster
Rep: Reputation: 15
In my smtpd.conf file i mentioned only,

pwcheck_method = auxprop

and there is no mech_list.

Wheather i want to mention any other thing in smtpd.conf?
 
Old 04-06-2008, 12:06 AM   #4
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
You probably have something like
Code:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
in you main.cf, which means that clients on your network don't need to authenticate. Note that this does not make you an open relay unless mynetworks is incorrect.

Check the postfix site, but I guess if you want to force authentication for all users, you would delete the "permit_mynetworks" provision.

Edit - note that mydestination is normally a domain name not an IP. See http://www.postfix.org/postconf.5.html#mydestination

Last edited by billymayday; 04-07-2008 at 02:10 AM.
 
Old 04-06-2008, 02:19 AM   #5
NaCo
Member
 
Registered: Jun 2002
Location: L.A.
Distribution: Fedora
Posts: 46

Rep: Reputation: 15
try setting the mech_list parameter

Try setting mech_list parameter like this:

mech_list: PLAIN LOGIN


Give it a try and tell me if it work. I am assuming that since you are missing this parameter CyrusSASL is accepting anonymous connections. If you specify anonymous in this parameter anyone can relay mail on your server.

Also check what billymayday said.

Good luck!

Angel.
 
Old 04-06-2008, 02:22 AM   #6
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Please note that the inclusion of permit_mynetworks is default behaviour in Postfix.

(see postconf -d to see defaults)

Rgds
 
Old 04-07-2008, 12:17 AM   #7
aravind1024004
Member
 
Registered: Mar 2008
Posts: 47

Original Poster
Rep: Reputation: 15
hi,

first of all i want to thank for all your replies.
I had tried all,what you have mentioned.
But still am facing the same problem
If the client unselect the my outgoing(SMTP) server requires authentication, in his outlook or etc
Then anyone can send mail.There must be some restrications to restrict the unauthenticated users.
 
Old 04-07-2008, 01:14 AM   #8
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Can you post the output of postconf -n

What exactly did you change smtpd_recipient_restrictions to?

Last edited by billymayday; 04-07-2008 at 01:22 AM.
 
Old 04-07-2008, 01:26 AM   #9
aravind1024004
Member
 
Registered: Mar 2008
Posts: 47

Original Poster
Rep: Reputation: 15
output of postconf -n


[root@experts ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
fallback_relay = $mydomain
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = rules.linux.com
mydomain = linux.com
myhostname = experts.linux.com
mynetworks = 151.2.0.0/16, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
unknown_local_recipient_reject_code = 550
[root@experts ~]#
 
Old 04-07-2008, 01:30 AM   #10
aravind1024004
Member
 
Registered: Mar 2008
Posts: 47

Original Poster
Rep: Reputation: 15
sorry the above output is wrongly sent
this is the correct one.

In smtpd_recipient_restrictions i had removed the permit_mynetworks.

[root@experts ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
fallback_relay = $mydomain
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = rules.linux.com
mydomain = linux.com
myhostname = experts.linux.com
mynetworks = 151.2.0.0/16, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, check_relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
unknown_local_recipient_reject_code = 550
 
Old 04-07-2008, 02:37 AM   #11
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
You don't want the comma at the end of the line.

This should work - I tried it and it works fine. Note that authentication isn't required for mail to relay_domains (reject_unauth_destination allows that). You could try

smtpd_recipient_restrictions = permit_sasl_authenticated, reject

to avoid that behaviour, but I haven't tested it
 
Old 04-07-2008, 10:54 AM   #12
NaCo
Member
 
Registered: Jun 2002
Location: L.A.
Distribution: Fedora
Posts: 46

Rep: Reputation: 15
OK

Try checking you maillog.

Try executing:

echo "" > /var/log/maillog , this way you clear everything you had logged before.

Then, run your two authentication scenarios, and compare them, the log should not be to long, post it so we can take a peek of it, try to copy and paste, do not just type it in!, if you are just running command line, WinSCP your linux box from a windows machine, and copy your maillog file, being in windows just copy and paste in the forum.

Angel
 
Old 09-04-2010, 09:32 AM   #13
frico
LQ Newbie
 
Registered: Sep 2010
Posts: 1

Rep: Reputation: 0
Hi

Do somebody find any inssue for this problem?

Frico

Last edited by frico; 09-04-2010 at 11:25 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SMTP authentication with postfix using sasl GuyWood13 Linux - Server 23 05-03-2011 03:29 PM
Postfix SMTP Authentication lasantha Linux - Server 0 10-26-2007 01:06 PM
SMTP Authentication jademan83 *BSD 0 10-04-2005 12:20 PM
postfix installation on suse with smtp authentication murattas Linux - Software 0 05-03-2005 11:16 AM
Postfix smtp authentication help dt23 Mandriva 1 09-28-2004 08:32 PM


All times are GMT -5. The time now is 07:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration