DevHeads.net

Re: Question about reject_unauthenticated_sender_login_mismatch

by

OK, I missed the first one in the doc, so it makes sense.

only"

FROM

Sorry, I mis-asked the question. When
reject_authenticated_sender_login_mismatch is specified, postfix takes
the
MAIL FROM address, looks it up in the smtpd_sender_login_maps table, and
checks to make sure the authenticated sender is in there and the MAIL
FROM
address is owned by the authenticated sender.
So....

When a sender is not authenticated, and
reject_unauthenticated_sender_login_mismatch is specified, postfix takes
the MAIL FROM address, looks it up in smtpd_sender_login_maps and if
it's
found, the message is rejected?

Essentially the lookup is just for the existence of the MAIL FROM
address
in the smtpd_sender_login_maps table?

Am I then correct in concluding that with:

smtpd_sender_restrictions = permit_sasl_authenticated,
reject_authenticated_sender_login_mismatch, reject

that the permit_sasl_autheticated obviates the need for
reject_unauthenticated_sender_login_mismatch?
(as there would never be an unauthenticated sender permitted...)

And am I also correct in concluding that is unauthenticated senders were
allowed (as they would have to be for smtpd to accept messages from the
internet), that reject_unauthenticated_sender_login_mismatch would
prevent
any non-authenticated sender from sending a message from (with MAIL
FROM)
any address listed in my smtpd_sender_login_maps?

That makes perfect sense.

As you see, I'm more interested in whether
reject_unauthenticated_sender_login_mismatch makes sense at all for my
setup and if so, in which context. If my two conclusions above are
correct,
it makes sense on the general access service, but not on the submission
service.

Thank you so much for your help!!

Comments

Re: Question about reject_unauthenticated_sender_login_mismatch

By Victor Duchovni at 01/30/2009 - 11:45

Yes, that's what I said.

Observe that the order of the first two elements is not entirely
correct.

Yes. this saves you a table lookup before unauthenticated senders are
rejected outright via "reject".

Yes, that's I said.

Re: Question about reject_unauthenticated_sender_login_mismatch

By jweinbergerhj at 01/30/2009 - 11:46

I think I've misunderstood this again. here's the behavior I observed:

I added -o smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch to
my master.cf smtp service entry (receiving mail on port 25).

It then rejected all mail. Each message was rejected because the sender was not
authenticated.

This is obviously undesireable behavior for this service, as I will never receive any mail.

The behavior I was seeking was that it would reject messages where the MAIL FROM is one
of the addresses that validly authenticates.

In other words if a spammer were to forge the MAIL FROM address as one of my valid
users, then send the message to that same user or any other user on my server, postfix
would reject it, knowing that that particular address should be sent from a matching
(smtpd_sender_login_maps) authenticated user.

Further, any mail received with a MAIL FROM that is not listed in my
smtpd_sender_login_maps) should then be permitted to pass, at least to the next check.

Given that reject_unauthenticated_sender_login_mismatch does not produce this behavior,
is there another way to produce this behavior? (with the obvious corollary - is there any
reason I would not want to do so?)

Thank you!!

Re: Question about reject_unauthenticated_sender_login_mismatch

By Victor Duchovni at 01/30/2009 - 11:46

You should not really expect us to help you with this with no log entries,
associated postconf -n, and actual master.cf entries.

The reject_unauthenticated_sender_login_mismatch feature only rejects
addresses listed in the smtpd_sender_logim_maps table:

/*
* Reject if the client is not logged in and the sender address has an
* owner.
*/
if (smtpd_sasl_is_active(state) && state->sasl_username == 0) {
reply = (const RESOLVE_REPLY *) ctable_locate(smtpd_resolve_cache, sender);
if (reply->flags & RESOLVE_FLAG_FAIL)
reject_dict_retry(state, sender);
if (check_mail_addr_find(state, sender, smtpd_sender_login_maps,
STR(reply->recipient), (char **) 0) != 0)
return (smtpd_check_reject(state, MAIL_ERROR_POLICY, 553, "5.7.1",
"<%s>: Sender address rejected: not logged in", sender));
}

So either your report is incomplete/inaccurate, or you have managed to
list all the senders you tested in smtpd_sender_login_maps (difficult
with indexed files, easier with regexp tables and SQL lookups).

With false premises you can reach any conclusion.

Re: Question about reject_unauthenticated_sender_login_mismatch

By jweinbergerhj at 01/30/2009 - 11:46

smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch to

I'm always happy to provide whatever might be helpful, and yet always conscious of
excessively long messages. I generally don't post postconf -n in its entirety for that and
disclosure reasons (yes, I'm paranoid). But I try to give the relevant entries and anything
else you think will help.

I am quite certain that my premises are not false. I tested it with senders who I know for a
fact ARE listed in the smtpd_sender_login_maps both as authenticated (they were
accepted) and from another client that did not authenticate (they were properly rejected).

Then I waited for someone else to send mail to one of my users. Here is the log entry that
was produced:

Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from
mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 <katie. ... at morris dot com>: Sender
address rejected: not logged in; from=<katie. ... at morris dot com>
to=< ... at userdomain dot tld> proto=SMTP helo=<mail37.messagelabs.com>

only altered to avoid posting one of my users' e-mail addresses and otherwise as logged.
The address logged as "from=<..." is not in my smtpd_sender_login_maps (I looked again
to be sure) and is not a user or sender on my server at all.

The master.cf entry is:

smtp inet n - n - - smtpd
-o smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch

that is the only line I used.

I would expect the above-mentioned mail to be permitted, and in other cases I have had
no problems.

Immediately after seeing this in the logs, I removed the "-o
smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch" from my
master.cf entry, and since then no mail has been rejected with a reason of not logged in.

I don't know how else to interpret this behavior, other than to conclude that adding that
line to my master.cf caused the mail to be rejected, which is not what I expected.

Knowing that I cannot determine, apparently, what will be helpful in diagnosing this
behavior or suggesting ways I can achieve the desired behavior, I am posting below my
complete postconf -n (some addresses and sensitive items edited out as noted, but
otherwise unaltered).

I am hoping that you or someone will either identify what I've done wrong or help me find
a way to achieve the desired behavior.

If there is any additional information I have not provided here that would be helpful in
doing one of these two, please ask - I will provide as much as I am able.

Thank you for your help.

--Jeff

postconf -n:

alias_database = mysql:/etc/postfix/mysql_alias_maps.cf
alias_maps = mysql:/etc/postfix/mysql_alias_maps.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_verp_delimiters = +=
disable_vrfy_command = yes
html_directory = /etc/postfix/html
inet_interfaces = all
local_recipient_maps =
luser_relay = <address hidden>
mail_owner = <postfix user>
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 0
mydestination = mysql:/etc/postfix/mysql_mydestination_maps.cf
mydomain = jweinberger.homeip.net
myhostname = jweinberger.homeip.net
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = $mydestination, mysql:/etc/postfix/mysql_relay_domain_maps.cf
relay_recipient_maps =
relayhost = <my relay host>
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = <group name>
smtp_generic_maps = mysql:/etc/postfix/mysql_smtp_generic_maps.cf
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /<path/to>/cacert.pem
smtp_tls_cert_file = /<path/to>/postfix-cert.pem
smtp_tls_key_file = /<path/to>/postfix-key.pem
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,
reject_unauth_pipelining, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_invalid_hostname, reject_rbl_client list.dsbl.org, reject_rbl_client sbl-
xbl.spamhaus.org, check_policy_service inet:127.0.0.1:2501, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
smtpd_sender_restrictions = check_sender_access
pcre:/etc/postfix/smtpd_sender_restrictions.pcre
smtpd_tls_CAfile = /<path/to>/cacert.pem
smtpd_tls_cert_file = /<path/to>/postfix-cert.pem
smtpd_tls_key_file = /<path/to>/postfix-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = mysql:/etc/postfix/mysql_peraddress_transport_maps.cf,
mysql:/etc/postfix/mysql_virtual_transport_maps.cf
unknown_local_recipient_reject_code = 550
verp_delimiter_filter = -=+
virtual_alias_domains = mysql:/etc/postfix/mysql_virtual_alias_domains.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:102
virtual_mailbox_base = /usr/local/virtual/
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 102
virtual_uid_maps = static:102

Re: Question about reject_unauthenticated_sender_login_mismatch

By Noel Jones at 01/30/2009 - 11:46

The map lookup matched on <a href="mailto:katie. ... at morris dot com">katie. ... at morris dot com</a>.
If you're using SQL for this table, you need to re-examine your query.
Test queries with something like:
postmap -q <a href="mailto:katie. ... at morris dot com">katie. ... at morris dot com</a> mysql:/path/to/xxx.cf

Note there is a difference between "not found" and an empty response.

Re: Question about reject_unauthenticated_sender_login_mismatch

By Victor Duchovni at 01/30/2009 - 11:46

Spot on!

In most cases Postfix suppresses empty results (and records a warning
int the logs).

I suggested two possibilities (and even hinted at SQL query issues as
a possible cause), you seem to have overlooked the second.

There's the problem. Now test the table as Noel suggested.

$ echo <a href="mailto:katie. ... at morris dot com">katie. ... at morris dot com</a> |
postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf

Re: Question about reject_unauthenticated_sender_login_mismatch

By jweinbergerhj at 01/30/2009 - 11:46

Noel, Viktor:

I see why you think that - but I did test with postmap -q quite extensively before I added
this, sorry I didn't mention it here.

I just tested again with this result:

% /etc/postfix : postmap -q <a href="mailto:katie. ... at morris dot com">katie. ... at morris dot com</a>
mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
% /etc/postfix :

postmap returned an empty result, which I thought was correct. Should it be returning
something different? If so, what should the result for an address not listed on my server
be?

I appreciate your help and your work to narrow down and isolate the issue here. Thanks!

--Jeff

Re: Question about reject_unauthenticated_sender_login_mismatch

By Victor Duchovni at 01/30/2009 - 11:46

Please use the suggested:

echo <lookup-key> | postmap -q - <table>

form. Also as documented, "smtpd_sender_login_maps" uses additional
lookup keys:

<a href="http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps" title="http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps">http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps</a>

smtpd_sender_login_maps (default: empty)

Optional lookup table with the SASL login names that own sender
(MAIL FROM) addresses.

Specify zero or more "type:table" lookup tables. With lookups from
indexed files such as DB or DBM, or from networked tables such as
NIS, LDAP or SQL, the following search operations are done with a
sender address of user@domain:

1) user@domain
This table lookup is always done and has the highest precedence.

2) user
This table lookup is done only when the domain part of the sender
address matches $myorigin, $mydestination, $inet_interfaces
or $proxy_interfaces.

3) @domain
This table lookup is done last and has the lowest precedence.

In all cases the result of table lookup must be either "not found"
or a list of SASL login names separated by comma and/or whitespace.

You need to tset the full set of lookup keys (sh, ksh or bash, not csh):

(
echo morris.com |
postmap -q - mysql:/etc/postfix/mysql_mydestination_maps.cf >&2 &&
echo katie.prevost
sleep 1
echo <a href="mailto:katie. ... at morris dot com">katie. ... at morris dot com</a>
echo @morris.com
) | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf

All this assumes that the sender address in question is unmodified...

Re: Question about reject_unauthenticated_sender_login_mismatch

By jweinbergerhj at 01/30/2009 - 11:46

Here's some additional information on the issue of not being able to send from outside
my_networks from one authorized address to another:

I restored my master.cf from my latest backup and before I started testing the
reject_(un)authorixed...., I had one additional smtpd_sender_restrictions listed:

-o
smtpd_sender_restrictions=$submission_sender_restrictions,reject_sender_login_mismatc
h,permit_sasl_authenticated,reject

in my submission service. it's defined in main.cf as:

submission_sender_restrictions =check_sender_access
pcre:/etc/postfix/smtpd_sender_restrictions.pcre

smtpd_sender_restrictions.pcre is:

/^(.*)/ PREPEND X-Envelope-Sender: <${1}>

just the one line where I hope I can capture the envelope sender (this is related to an
earlier issue where my spam filter failed to preserve the envelope sender, so this is a
workaround).

When I added this back, all worked fine. If I remove this one restriction
(check_sender_access), I can no longer send.

is this check_sender_access, because it's not rejecting the sender, allowing it somehow?

I thought this information might be useful or important.

Thanks again!

Re: Question about reject_unauthenticated_sender_login_mismatch

By mouss at 01/30/2009 - 11:46

jeff_homeip a écrit :

no. it's more probable that you have errors in your config.

if you think you have a problem with one particular configuration, then
we need to see that configuration, so

1) configure postfix to reproduce the problem
2) restart postfix
3) from now, don't change any setting until the end of this procedure
4) reproduce the problem (test...)
5) if you succeed, send us the
-- contents of master.cf
-- the output of 'postconf -n'
-- the contents of main.cf (to see "custom" variables)

Re: Question about reject_unauthenticated_sender_login_mismatch

By Victor Duchovni at 01/30/2009 - 11:46

6) "postmap -q - <table>" output for all relevant keys in all relevant
tables.
7) verbose logging from the smtpd(8) showing the events that lead
up to reject restriction. Configure via "debug_peer_list" or "-v"
entry in master.cf. It is enough to report just 10-20 lines of
logging above the "reject" event, that demonstrate which restrictions
is being processed and associated table lookup keys and results.

Re: Question about reject_unauthenticated_sender_login_mismatch

By jweinbergerhj at 01/30/2009 - 11:46

% /etc/postfix : (

% /etc/postfix :

again, an empty result set.

I'm not sure of all the possible meanings of "All this assumes that the sender address in
question is unmodified..." but I know I've left the sender address untouched and I don't
think I have anything that rewrites the sender address, so as far as I know it's unmodified.

I appreciate you continuing to seek possible causes.

I am having another issue which is not exactly this, but is related to this thread, and i
suspect there may be some relation (I think it's the same thing - getting my restriction
slightly wrong):

Per your and Wietse's suggestions, I changed:

-o smtpd_sender_restrictions=
permit_sasl_authenticated,reject_sender_login_mismatch,reject

in my submission service to:

-o
smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,rejec
t

so that the permit_sasl_authenticated didn't obviate the reject_sender_login_mismatch.

Now I am unable to send mail when authenticated as me with a valid address from a client
outside of my_networks.

My master.cf submission entry is:

submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o
smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,rejec
t
-o milter_macro_daemon_name=ORIGINATING

in its unaltered entirety. my postconf -n remains as in the message in this thread of
several hours ago.

The log entry is:

Jan 14 22:10:06 s postfix/smtpd[1557]: NOQUEUE: reject: RCPT from
unknown[32.155.5.72]: 554 5.7.1 < ... at mac dot com>: Relay access denied;
from=< ... at jweinberger dot homeip.net> to=< ... at mac dot com> proto=ESMTP
helo=<[10.97.215.245]>

I am using my mobile phone to test this, but I verified that it is submitting on port 587.

<a href="mailto: ... at mac dot com"> ... at mac dot com</a> is another address that is also mine. It is listed as a valid from
address sasl authenticated user in my smtpd_sender_login_maps (so I can send messages
from that when I don't have immediate access to my regular mail client and I"m logged in
as <a href="mailto: ... at jweinberger dot homeip.net"> ... at jweinberger dot homeip.net</a>.

If I send to another unrelated address, it works fine, so this is clearly caused by the fact
that the address to which I'm sending is also listed in smtpd_sender_login_maps.

I didn't expect this behavior, but I'm guessing it's what postfix is supposed to do.

Can you explain why this happens? and do you have any suggestions to avoid it?

Thank you again.

Re: Question about reject_unauthenticated_sender_login_mismatch

By Victoriano Giralt at 01/30/2009 - 11:46

Hash: RIPEMD160

I'm not following the thread too deeply, but ...
This points more and more to a map problem.

Have you already shown your map SQL query? If not, doing so might help.

Re: Question about reject_unauthenticated_sender_login_mismatch

By jweinbergerhj at 01/30/2009 - 11:45

thank you for confirming, and allowing my still-growing knowledge of postfix to confirm
your answers. this will help quite a lot!

Re: Question about reject_unauthenticated_sender_login_mismatch

By mouss at 01/30/2009 - 11:45

jeff_homeip a écrit :

I hope you didn't miss this.

in your restrictions, reject_authenticated_* is useless, because
authenticated transactions have been permitted by permit_sasl_authenticated.

or did you mean reject_UNauthenticated_*?

to sum up:

- if <a href="mailto: ... at example dot com"> ... at example dot com</a> can only be used by user 'foo', then use
reject_sender_login_mismatch.

- if <a href="mailto: ... at example dot com"> ... at example dot com</a> must be authenticated (but you don't care who the
user is), then use reject_unauthenticated_*

- if <a href="mailto: ... at example dot com"> ... at example dot com</a> can be used (without auth) OR (if auth'ed, the user
must be 'foo'), then use reject_authenticated_*.

<advanced> (skip if not confident...)
you can implement this on a per sender basis using a check_sender_access
with a map that returns one of the above depending on the sender.

for example:

smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/access_sender_login

== access_sender_login:
<a href="mailto: ... at example dot com"> ... at example dot com</a> reject_sender_login_mismatch
<a href="mailto: ... at example dot com"> ... at example dot com</a> reject_authenticated_sender_login_mismatch
<a href="mailto: ... at example dot com"> ... at example dot com</a> reject_unauthenticated_sender_login_mismatch
<a href="mailto: ... at example dot com"> ... at example dot com</a> DUNNO
example.com reject_sender_login_mismatch
</advanced>