On Mon, Jun 6, 2011 at 1:35 AM, Rony gnulinuxist@gmail.com wrote:
I have been going through various docs on the net about sasl authentication in postfix.
I hope you are referring to postfix's docs and references. Your scenario is a common setup and IIRC there are examples on postifx's site on how to do this.
In the system that I have set up at a client's place, mails are going fine but there is a small issue that needs to be corrected. The setup is a group of machines on LAN running Outlook Express mail clients and a Linux box running postfix pushing all mails to the main ISP's smtp server. Since It is a relay server, I have used the parameter relayhost = [smtp_of_ISP]:25 in the main.cf file. The sasl auth is using smtp_auth_enable and not smtpd_auth_enable and the user names/passwords are listed in the /etc/postfix/sasl_password file.
Have you also enabled relay for the "local" LAN? If yes, then this needs to be disabled.
*All* "local" users need to provide credentials to postfix for accepting emails from local clients.
This is a good place to start http://www.postfix.org/SASL_README.html if you have not read it.
Also you have not mentioned which SASL mechanism you are using. In Cyrus SASL, the sasl_authd (sp?) service needs to be active. This is what I recall from what I had done in a postfix setup looooong time ago :)
The only *smtpd* related entry is smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access, reject.
Mails are going as required and only to those in the recipient_access list as required. Now if an employee has left and his/her entries are removed from the postfix box as well as the ISP server mail accounts, the Outlook Express mailer can still send mails as that non-existent user. What I found through more reading of docs is that my OE accounts can send mails even without authentication as I don't have smtpd_auth_enable and the LAN is in my mynetworks parameter. Not a big problem as it is local and under control and the OE account can be deleted for that user. However, why is the ISP allowing this unknown user which postfix is relaying when I have everything set in the smtp_auth_ part of postfix?
After deleting the user did you regenerate the hash file?
Suppose there is a flaw in my settings, shouldn't the ISP's mail server reject those mails when the username and password do not match with their list? That user has been deleted from their server.
No. You are probably authenticating your postfix server with that of our ISP SMTP, with a "particular" username/password or you have requested your ISP to allow relay from your WAN IP (static). In either case the onus is on your smtp server to allow/reject messages at the time when the local smtp client connects to the postfix smtp server in the LAN.