DevHeads.net

Problem with Zen filtering legit e-mail

Since I got Zen and the other spam stuff working things went fine until
one of our road workers tried to send his email from his laptop which is
hooked up on a cheap ISP. This ISP happens to be fully in Zen and he can
not send mails using our mail server. He has to log in using IMAP/TLS to
send the mails. Is there a way ( inside the recipient restrictions ) to
allow mails only from a domain if send by a logged in user? Currently I
use a recipient access map to whitelist the domain but this works only
until spammers start to send mails with faked domains ( aka claiming to
be from this domain but obviously are not since they never authed ).
SASL is not an option since it refuses to work ( either crashes or fails
to start ).

Comments

Re: Problem with Zen filtering legit e-mail

By Sahil Tandon at 01/30/2009 - 12:45

Fix the problem instead of plugging in these makeshift solutions. Why
does SASL not work? What do the logs say? Show the output of
'postconf -n' and relevant excerpts from your log. Also see the
DEBUG_README, to which you were referred upon joining this list; it
contains useful troubleshooting tips and advice on how to get help
from this list.

Re: Problem with Zen filtering legit e-mail

By =?ISO-8859-1?Q?... at 01/30/2009 - 12:45

If I would know this I would not say it's not-an-option, right? ;)

Unfortunately nothing except SASL not working ( if telnetting to 25 ). I
tried tons of tutorials but the SASL stays broken. Most probably a
GenToo problem I suspect.

I never received nor got pointed to a DEBUG_README at all. Where's this one?

Re: Problem with Zen filtering legit e-mail

By Charles Marcus at 01/30/2009 - 12:45

Actually, I've been using SASL on gentoo for years, so it is more likely
a PEBKAC problem...

Re: Problem with Zen filtering legit e-mail

By Brian Evans - P... at 01/30/2009 - 12:45

Gentoo is not the issue, however the different SASL implementations can
be an interesting experiment to get working.
Dovecot SASL is easier, IMO, to setup and configure and you can disable
the IMAP services from starting simply enough.

<a href="http://www.postfix.org/DEBUG_README.htm" title="http://www.postfix.org/DEBUG_README.htm">http://www.postfix.org/DEBUG_README.htm</a>

Brian

Re: Problem with Zen filtering legit e-mail

By =?ISO-8859-1?Q?... at 01/30/2009 - 12:45

Hm... I tried Cyrus so far. What's the difference between the two except
the configuration?

You missed the L... :D ( sorry, couldn't resist )

Re: Problem with Zen filtering legit e-mail

By Bill Cole at 01/30/2009 - 12:45

Roland Plüss wrote, On 1/13/09 9:47 AM:

[...]

1. Dovecot SASL is a free-standing authentication daemon rather than
libraries that have to be linked into Postfix, which eliminates the
opportunity for failure from having a mismatch between the libraries used to
build Postfix and the ones in place at run time.

2. Dovecot only provides authentication for the SMTP server side of Postfix,
so if you need to have the SMTP or LMTP client parts of Postfix
authenticate themselves to a server, Cyrus is your only choice.

And the config difference is a significant one. A SASL implementation that
one cannot figure out how to configure has absolutely no functionality. It
is also possible to configure Cyrus functionally but very insecurely, which
is likely to be more difficult to accomplish with Dovecot.

Re: Problem with Zen filtering legit e-mail

By =?ISO-8859-1?Q?... at 01/30/2009 - 12:46

I guess in this case I should once upon time pay Dovecot a visit. I need
only auth for SMTP/IMAP. LMTP I don't use so it's not a blocker there.

Re: Problem with Zen filtering legit e-mail

By mouss at 01/30/2009 - 12:46

Roland Plüss a écrit :

you apparently didn't get it:

- if you only need to authenticate TO YOUR postfix, then dovecot is a
good choice. This happens when your mailer connects to postfix.

- if you need your postfix to authenticate TO OTHER smtp servers, then
you need cyrus-sasl.

In short, dovecot doesn't support "client side SASL". see the SASL
README for more.

Re: Problem with Zen filtering legit e-mail

By =?ISO-8859-1?Q?... at 01/30/2009 - 12:46

Nah, it's only for client to my postfix. No need for postfix to auth to
other smtp servers. Unless this would be somehow usefull or would
prevent problems.

Re: Problem with Zen filtering legit e-mail

By mouss at 01/30/2009 - 12:46

Roland Plüss a écrit :

so dovecot sasl is a good choice.

some people need this if they relay via their ISP/MSP and the latter
requires authentication.

Re: Problem with Zen filtering legit e-mail

By Noel Jones at 01/30/2009 - 12:45

Put permit_mynetworks, permit_sasl_authenticated before the
zen check.