1

Is it possible to configure SMTP authentication on Postfix with different user/pass credentials for different domains?

So, I have a MTA that relays emails from ~20 different domains. When sending emails to a specific domain, say example.com, my MTA has to authenticate. No problem, this solved the problem: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html

But, I have a different account for every sender domain. So, when mydomain1.com sends email to example.com, it uses one account. Another one for mydomain2.com -> example.com etc.

Is this achievable through Postfix?

kreso
  • 11
  • 1
  • 3

1 Answers1

1

You should read up a bit on this option: smtp_sender_dependent_authentication, with that, and two other related DB mappings, sender_dependent_relayhost_maps, and smtp_sasl_password_maps, you can create per sender password entries.

In the sender_dependent_relayhost maps, you map username@domain [smtp_host], and in the smtp_sasl_password maps, you map email user:password or domain user:password(whatever those might be). These are classic postfix lookup tables, they can be in mysql, dbm, hash, etc.

With a combination of mysql and some duplication, you could quite possibly do what you want.

You could make a table with 4 fields, email, smtp_relay, user, password, then have postfix look up the email and smtp_relay for the sender_dependent_relay_maps, then email user:password for smtp_sasl_password_maps. This would have to be populated with each email address that has to relay, each server that you relay through, and each user:password combo for the authentication.

Community
  • 1
NickW
  • 10,183
  • 1
  • 18
  • 26
  • 1
    Very good answer,but you could have linked the official SOHO configuration readme ;-) http://www.postfix.org/SOHO_README.html#client_sasl_sender – Stefan Förster Jan 08 '14 at 06:58
  • @StefanFörster Yeah, but I wanted to explain the slightly different logic you would have to use to solve his situation, as not only does he have multiple relays, but each from domain needs a different account to send with.. it feels a bit cheap to write look at this, but change here, here and here :) – NickW Jan 08 '14 at 09:10
  • @NickW -- thanks for the answer. Could wildcards be used? Like, *@mydomain1.com, *@mydomain2.com etc. Because there are hundreds of mail addresses and dozens of domains. Only one destination mail server. User accounts on destination servers are 1:1 for domain:account. Users need to authenticate *only when sending emails to a single exact mail server. When sending to other mail addresses, no need for authentication. – kreso Jan 08 '14 at 10:13
  • As far as I know, you should be able to use them, have a look at the pcre: maps.. http://www.postfix.org/pcre_table.5.html – NickW Jan 08 '14 at 10:25
  • This probably isn't what I'm looking for. If I'm not mistaken, sender_dependent_relayhost_maps would just say that all emails from sender@domain1.com are being relayed to smtp_host. What I'd need is, if there is mail from ANY_USER@domain1.com, being sent to smtphost.address.com, then authenticate using account domain1.com|password1. All other emails should just be relayed based on MX records. – kreso Jan 08 '14 at 10:26
  • There is some of that, the classic relay host parameter would be better, `example.com [smtp.example.com]` would say mail to example.com gets relayed there, then you enable the `smtp_sasl_password` maps with a pcre: table, and use `*mydomain1.com user:password`... I think that should work, at first I was under the impression you had multiple relays, and multiple users per from domain :) – NickW Jan 08 '14 at 10:34
  • Multiple users on multiple domains, but one relay host as a mail gateway. If any user sends email ony to @example.com, it has to authenticate at mail server for example.com, but with credentials for his domain. I'll play around a bit, and see if I can work it out with your tips. – kreso Jan 08 '14 at 10:41
  • Sorry, when I stated relay_host parameter, I was thinking relay_transport which uses the `example.com smtp:[stmtp.example.com]` syntax, and the example.com domain would have to be listed in the `$relay_domains` parameter. The only question is if the `smtp_sasl_password` would try and use those credentials always.. – NickW Jan 08 '14 at 11:01
  • BTW, I'd tell the admin of example.com that he's a real jerk, I can understand the necessity of SASL for relaying through the server, but just to send mail TO the server? Dick move. – NickW Jan 08 '14 at 12:56
  • Yeah, solved the part about using one acount for all senders on one domain, but cannot figure out how to limit SMTP authentication for only one relay server... (regarding dick moves, it's a commercial service, so that's why) – kreso Jan 08 '14 at 13:28
  • As it's a commercial service, you couldn't possibly work it out with them to provide you with a single account for your server could you? – NickW Jan 08 '14 at 13:55
  • Unfortunatley no. Multiple companies (==domains), multiple accounts. One mail gateway. – kreso Jan 08 '14 at 14:00
  • Another option I can think of might be to create a second server instance which just does normal relaying, and use that as the default relay, set it up to only accept mail from your server, using the user:password combos.. – NickW Jan 08 '14 at 15:05
  • Can't, for multiple reasons... Postfix is here just a MTA bundled with another product that's used as mail gateway. Anyways, thanks for the effort, even if we didn't find a solution. – kreso Jan 09 '14 at 15:28
  • Sorry I wasn't able to offer you a better solution, but smtp auth just isn't designed to work like that (and example.com are breaking things). – NickW Jan 09 '14 at 15:33
  • No problem, but perhaps you can help me with making a workaround: would it be possible to rewrite sender addresses when recipient is example.com? I'm thinking it would be acceptable to rewrite sender addresses to for-example@domain[N].com, and then use SMTP auth profiles using configuration @Stefan Förster linked earlier. – kreso Jan 09 '14 at 15:56