Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 417
  • Last Modified:

In Postfix, how do you force a remote user to have to enter a password to send or receive an email?

We have a new postfix email server up and running.  Currently our remote users can login and receive their emails after entering a password, but they are not required to enter a password to send an email.

Thank-you in advance for your help
0
CME-IT
Asked:
CME-IT
  • 7
  • 4
  • 2
1 Solution
 
The--CaptainCommented:
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/
http://www.projektfarm.com/en/support/howto/postfix_smtp_auth_tls.html

Be careful - this may affect how your server receives SMTP mail from everyone else (not just your local users).

Cheers,
-Jon
0
 
Cyclops3590Commented:
umm...if they can send with authenticating??? have you checked to make sure you are not an open relay?
whate are the smtpd_*_restrictions you have in place within your main.cf
0
 
CME-ITAuthor Commented:
I am reading the articals.  They are very helpful.  


I have notice one unique situation.  Internally, everyone can send/receive emails internally/externally except those that are using Outlook.  They cannot send externally.  Fortunately, most of our employees are using something other than Outlook.

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Cyclops3590Commented:
hard to help without knowing what your configs are
0
 
CME-ITAuthor Commented:


smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains

smtpd_sender_restrictions = permit_sasl_authenticated
0
 
The--CaptainCommented:
>umm...if they can send with authenticating??? have you checked to make sure you are not an open relay?
>whate are the smtpd_*_restrictions you have in place within your main.cf

Whoa - one thing at a time.

>...those that are using Outlook.  They cannot send externally

LOL!  I am not a Microsoft guru, but I think I remember hearing that newer versions of Outlook are set up to require SMTP with authentication - the fuuny thing is that if you get this working, it might just fix your Outlook problems as well.

I am also not a postfix guru (I'm a sendmail geezer), so I know enough about SMTP, but not much about postfix.  As such, I've gotta hand this one off to Cyclops.

Cheers,
-Jon
0
 
Cyclops3590Commented:
I take it that you did configure the clients for smtp auth, correct.  If you can send internally, but not externally (assuming here you are getting a 554 relay access denied error) then you have your mydestination configured right.

everytime i had this happen it was that the client was configured right.  because if the client is configured for smtp auth, but is supplying the wrong username/password combo then outlook should actually get a rejection on all emails (if I remember right anyway, could be wrong).

beyond that how do you have your sasl parameters configured for postfix.  also what is the contents of your smtpd.conf file?  you using saslauthd or auxprop?  you seeing anything related to sasl in your mail logs stating failures or even trials at using sasl auth.  run
tail -1000 /var/log/mail/info | grep postfix | grep sasl
to see all the postfix sasl related log entries just to see if that gives you any information.  you may also need to turn on verbose logging in your master.cf file
0
 
CME-ITAuthor Commented:
I am currently reviewing the Postfix SMTP AUTH  (and TLS) HOWTO that the captain recommended.  We are planning on trying it on our test server (it is a duplicate of the email server).  

Does this help?

Thanks in advance.


Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_eval[1] result permit_sasl_authenticated
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_lookup: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_eval[1] permit_mynetworks, permit_sasl_authenticated, check_relay_domains
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: mac_parse: permit_mynetworks, permit_sasl_authenticated, check_relay_domains
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_eval_action: type literal buf permit_mynetworks, permit_sasl_authenticated, check_relay_domains context mail_dict "permit_sasl_authenticated" recursive
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_eval[1] result permit_mynetworks, permit_sasl_authenticated, check_relay_domains
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_eval[1] result permit_mynetworks, permit_sasl_authenticated, check_relay_domains
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_lookup: smtpd_sasl_security_options = noanonymous
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_lookup: smtpd_sasl_application_name = (notfound)
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_update: smtpd_sasl_application_name = smtpd
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_lookup: smtpd_sasl_local_domain = $myhostname
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_lookup: smtpd_sasl_exceptions_networks = (notfound)
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_update: smtpd_sasl_exceptions_networks =
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_lookup: smtpd_sasl_tls_security_options = (notfound)
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_eval[1] $smtpd_sasl_security_options
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: mac_parse: $smtpd_sasl_security_options
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_eval_action: type variable buf smtpd_sasl_security_options context mail_dict "" recursive
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_lookup: smtpd_sasl_security_options = noanonymous
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_update: smtpd_sasl_tls_security_options = noanonymous
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_lookup: smtpd_sasl_auth_enable = yes
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: dict_lookup: broken_sasl_auth_clients = yes
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: smtpd_sasl_initialize: SASL config file is smtpd.conf
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: smtpd_sasl_authenticate: sasl_method PLAIN, init_response AGpzdHJ5a2VyADEyMDQ0Ng==
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: smtpd_sasl_authenticate: decoded initial response
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: generic_checks: name=permit_sasl_authenticated
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: generic_checks: name=permit_sasl_authenticated status=1
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: generic_checks: name=permit_sasl_authenticated
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: generic_checks: name=permit_sasl_authenticated status=1
Jun  7 07:16:40 mailhost postfix/smtpd[29022]: 6CD073F9623: client=unknown[x.x.1.x], sasl_method=PLAIN, sasl_username=employee@mailhost.company.com

Jun  07:16:52 mailhost postfix/smtpd[29022]: generic_checks: name=permit_sasl_authenticated
Jun  7 07:16:52 mailhost postfix/smtpd[29022]: generic_checks: name=permit_sasl_authenticated status=0
Jun  7 07:16:52 mailhost postfix/smtpd[29022]: generic_checks: name=permit_sasl_authenticated
Jun  7 07:16:52 mailhost postfix/smtpd[29022]: generic_checks: name=permit_sasl_authenticated status=0
0
 
CME-ITAuthor Commented:

> ... (assuming here you are getting a 554 relay access denied error)

yes that is the error message
0
 
CME-ITAuthor Commented:
Is it possible that dovecot.conf is conflicting with /etc/postfix/main.cf?
0
 
Cyclops3590Commented:
dovecot is just the pop3/imap daemon isn't it (never used it so not sure exactly what i does)
0
 
CME-ITAuthor Commented:
I'm not sure, there are some settings in it.  It came with the installation.
0
 
CME-ITAuthor Commented:
I am closing this question out as I am moving forward with they help that I got.  Thank-you both for your assistance.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now