1

I have a functioning postfix server that uses smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

I am trying to put this behind a LB. When I telnet or openssl to the virtual IP in my LB I can EHLO and STARTTLS and exchange my user/pw. My SASL authentication uses the local logins. So, I know that I can get through the LB to the postfix relay server.

When I send an email to the virtual IP, it fails permit_sasl_authenticated. I think the email request is establishing a proper TLS tunnel. I see log info indicating such:

Nov 10 14:07:43 postfixserver1 postfix/smtp/smtpd[4793]: SSL_accept:SSLv3/TLS write finished Nov 10 14:07:43 postfixserver1 postfix/smtp/smtpd[4793]: Anonymous TLS connection established from lb2-float.mgmt.domain.edu[IP here]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)

I also see a EHLO from the email client, however, that may be the load balancer passing off the EHLO to the postfix server.

Then it starts recipient restrictions and I get this:

Nov 10 14:07:43 postfixserver1 postfix/smtp/smtpd[4793]: >>> START Recipient address RESTRICTIONS <<< Nov 10 14:07:43 postfixserver1 postfix/smtp/smtpd[4793]: generic_checks: name=permit_sasl_authenticated Nov 10 14:07:43 postfixserver1 postfix/smtp/smtpd[4793]: generic_checks: name=permit_sasl_authenticated status=0 Nov 10 14:07:43 postfixserver1 postfix/smtp/smtpd[4793]: generic_checks: name=permit_mynetworks

Why does it not pass permit_sasl_authenitcated when it comes through the LB? I want sasl_authentication first to authenticate based on user/password, then fallback to permit_mynetworks. By the way, if I put the LB IP in mynetworks list, permit_mynetworks passes. However, I want sasl_authenticated to take priority.

Is there another postfix configuration I need to set, something about inet_interfaces, even though I have inet_interfaces = all.

Thanks in advance for any suggestions.

NotACreativeName
  • 11
  • 1
  • I eventually figured this out... In an effort to test the flow of control when an email client can or cannot do the SASL authentication, I deleted the saslauth.db file (the postmap output of my acct/pw) This broke the SMTP protocol flow of control because it wanted to send the file but there wasn't one. So, instead I commented out the servername user:pw and rebuilt the postmap file. – NotACreativeName Nov 17 '21 at 21:31
  • I also ran into this problem/concern ... my original postfix relay was postfix-svr, and to load balance it I cloned/renamed the original so I had postfix-server1 & postfix-server2 as the two members in my F5 pool, but, this creates a problem of the the email client sending the SASL credentials to postfix-server-name, and this now fails PAM-SASL authentication after the email pkg is forwarded from F5 to one of the pool members... When I changed the SASL credential file to postfix-server* login:pw, it happily accepted the credentials. But, I have to reconfigure each email client :-( – NotACreativeName Nov 17 '21 at 21:42
  • No one else seems to have anything to offer here. Either I am bleeding-edge, or hopelessly behind the times, or I don't know how to ask a proper question... – NotACreativeName Nov 17 '21 at 21:44

0 Answers0