DevHeads.net

check_sasl_access' ignored: no SASL support

I'm in the process of enabling postscreen, and, just noticed started
getting these warnings today, after editing/adding postscreen

Jan 11 13:03:12 geko postfix/smtpd[5403]: warning: restriction
`check_sasl_access' ignored: no SASL support
Jan 11 13:03:54 geko postfix/smtpd[5403]: warning: restriction
`check_sasl_access' ignored: no SASL support
Jan 11 13:04:39 geko postfix/smtpd[5403]: warning: restriction
`check_sasl_access' ignored: no SASL support

looking at log events for one of these, I see like[1]:

in my /etc/postfix/main.cf I have

# grep check_sasl_access main.cf
check_sasl_access hash:/etc/postfix/sasl_access

this was put 2 yrs ? ago, aiming to blocking compromised user account to
stop being used for spam

never had (or, noticed ??) these errors before

what did I screw up..? postconf [2]

# ls -al /etc/postfix/sasl_access
-rw-r--r-- 1 root postfix 269 Oct 8 2015 /etc/postfix/sasl_access

# cat /etc/postfix/sasl_access

minto HOLD
casula HOLD
bankstown HOLD
<a href="mailto: ... at dom dot org.au"> ... at dom dot org.au</a> HOLD
<a href="mailto: ... at dom dot org.au"> ... at dom dot org.au</a> HOLD

[2]
# postconf -n
address_verify_sender = $double_bounce_sender
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
anvil_rate_time_unit = 1h
append_dot_mydomain = yes
biff = no
body_checks = pcre:/etc/postfix/body_checks
body_checks_size_limit = 150000
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
header_checks = pcre:/etc/postfix/header_checks.pcre
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 30971520
mime_header_checks = pcre:$config_directory/mime_headers.pcre
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain,
localhost.$myhostname
mydomain = sbt.net.au
myhostname = geko.sbt.net.au
mynetworks = 163.47.110.6 163.47.110.7 103.15.178.123 110.175.246.167
60.242.27.57 127.0.0.1
myorigin = geko.sbt.net.au
newaliases_path = /usr/bin/newaliases.postfix
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = DROP
postscreen_command_count_limit = 8
postscreen_command_time_limit = 30
postscreen_dnsbl_action = ENFORCE
postscreen_dnsbl_sites = zen.spamhaus.org*5, psbl.surriel.com*2,
bl.spamcop.net*2, dnsbl.spfbl.net*2, db.wpbl.info, dnsbl.dronebl.org,
pofon.foobar.hu, bl.ipv6.spameatingmonkey.net*2,dnsbl6.anticaptcha.net,
bl.spameatingmonkey.net*2, bl.mailspike.net, b.barracudacentral.org*2,
dnsbl.sorbs.net, ubl.unsubscore.com, truncate.gbudb.net,
list.dnswl.org*-3, zz.countries.nerd.dk=127.0.3.58*-1
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = ENFORCE
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps
$mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps
$relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps
$sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps
$transport_maps $virtual_alias_domains $virtual_alias_maps
$virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix3-3.2.4/README_FILES
recipient_bcc_maps =
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf,
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination,
proxy:mysql:/etc/postfix/mysql/relay_domains.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf,
proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
show_user_unknown_table_name = no
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 12
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_error_sleep_time = 3s
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,
check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_junk_command_limit = 2
smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unlisted_recipient, permit_mynetworks,
check_sasl_access hash:/etc/postfix/sasl_access permit_sasl_authenticated,
reject_unauth_destination, check_recipient_access
hash:/etc/postfix/recipient_no_checks, check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre, check_helo_access
hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org,
reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender
dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client
ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net,
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_soft_error_limit = 5
smtpd_tls_cert_file = /etc/letsencrypt/live/geko.sbt.net.au/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/geko.sbt.net.au/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf,
proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf,
proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf,
proxy:mysql:/etc/postfix/mysql/catchall_maps.cf,
proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

[1]

grep 5403 /var/log/maillog

Jan 11 13:02:59 geko postfix/smtpd[5403]: warning: hostname
beta10.gannettmarks.info does not resolve to address 45.124.97.25: Name or
service not known
Jan 11 13:02:59 geko postfix/smtpd[5403]: connect from unknown[45.124.97.25]
Jan 11 13:03:00 geko postfix/smtpd[5403]: NOQUEUE: reject: RCPT from
unknown[45.124.97.25]: 450 4.1.8 < ... at gannettmarks dot info>: Sender
address rejected: Domain not found; from=< ... at gannettmarks dot info>
to=< ... at dom dot tld> proto=ESMTP helo=<beta10.gannettmarks.info>
Jan 11 13:03:00 geko postfix/smtpd[5403]: disconnect from
unknown[45.124.97.25] ehlo=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=3/5
Jan 11 13:03:11 geko postfix/smtpd[5403]: warning: hostname
mail-mx.tudem.com does not resolve to address 78.40.224.14: Name or
service not known
Jan 11 13:03:11 geko postfix/smtpd[5403]: connect from unknown[78.40.224.14]
Jan 11 13:03:12 geko postfix/smtpd[5403]: warning: restriction
`check_sasl_access' ignored: no SASL support
Jan 11 13:03:14 geko postfix/smtpd[5403]: 433AF65C92DE:
client=unknown[78.40.224.14]
Jan 11 13:03:16 geko postfix/smtpd[5403]: disconnect from
unknown[78.40.224.14] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jan 11 13:03:53 geko postfix/smtpd[5403]: connect from
mail-hk2apc01on0085.outbound.protection.outlook.com[104.47.124.85]
Jan 11 13:03:54 geko postfix/smtpd[5403]: Anonymous TLS connection
established from
mail-hk2apc01on0085.outbound.protection.outlook.com[104.47.124.85]:
TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Jan 11 13:03:54 geko postfix/smtpd[5403]: warning: restriction
`check_sasl_access' ignored: no SASL support
Jan 11 13:03:54 geko postfix/smtpd[5403]: C25FF65C92DE:
client=mail-hk2apc01on0085.outbound.protection.outlook.com[104.47.124.85]
Jan 11 13:03:55 geko postfix/smtpd[5403]: disconnect from
mail-hk2apc01on0085.outbound.protection.outlook.com[104.47.124.85] ehlo=2
starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jan 11 13:04:38 geko postfix/smtpd[5403]: connect from
mta412.k.cheetahmail.com[208.49.63.138]
Jan 11 13:04:39 geko postfix/smtpd[5403]: Anonymous TLS connection
established from mta412.k.cheetahmail.com[208.49.63.138]: TLSv1.2 with
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 11 13:04:39 geko postfix/smtpd[5403]: warning: restriction
`check_sasl_access' ignored: no SASL support
Jan 11 13:04:41 geko postfix/smtpd[5403]: 4800365C92DE:
client=mta412.k.cheetahmail.com[208.49.63.138]
Jan 11 13:04:42 geko postfix/smtpd[5403]: disconnect from
mta412.k.cheetahmail.com[208.49.63.138] ehlo=2 starttls=1 mail=1 rcpt=1
data=1 commands=6

Comments

Re: check_sasl_access' ignored: no SASL support

By Wietse Venema at 01/11/2018 - 07:55

Postfix was compiled without SASL support. There is no code to
implement SASL. This cannot be changed with main.cf settings.

#ifdef USE_SASL_AUTH
} else if (is_map_command(state, name, CHECK_SASL_ACL, &cpp)) {
if (var_smtpd_sasl_enable) {
if (state->sasl_username && state->sasl_username[0])
status = check_sasl_access(state, *cpp, def_acl);
} else
#endif
msg_warn("restriction `%s' ignored: no SASL support", name);

Wietse

Re: check_sasl_access' ignored: no SASL support

By Voytek Eymont at 01/10/2018 - 22:27

On Thu, January 11, 2018 1:17 pm, Voytek wrote:
as a part of postscreen setup, I've altered

(was)
smtpd_sasl_auth_enable = yes
(current)
smtpd_sasl_auth_enable = no

I've now reverted to 'yes' - and, am checking if message goes away