Using auth to allow relaying on a Postfix gateway (null client) setup

Discussion in 'HOWTO-Related Questions' started by AlxRogan, Feb 6, 2007.

  1. AlxRogan

    AlxRogan New Member

    Hi

    First off, thanks much to everyone that contributed to the http://www.howtoforge.com/postfix_antispam_mailscanner_clamav_ubuntu article. I have everything up and working great as a postfix gateway to an internal mail server. One thing I have been searching for, though, I have not been able to find. Is it possible for a postfix installation running with a blank mydestination entry to either:

    1) relay to an outside network, i.e. not one listed in in the relayhost entry for users that successfully smtp auth. Basically setup postfix to relay mail to the internal server, EXCEPT for someone who can smtp auth. Those users can relay to wherever.

    2) pass those smtp auth credentials to the internal mail server so that it can see a valid auth to send outside the domain?

    I do have auth working and tested, as well as the relaying to the proper internal mail server. I just need some guidance about letting users relay outside with the proper authorization.

    Thanks,
    Alx

    EDIT: Here is my /etc/postfix/main.cf which has been sanitized
    alias_maps = hash:/etc/aliases
    myorigin = test.com
    myhostname = spam-gw.test.com
    mynetworks = 127.0.0.0/8, 10.0.0.0/24, 192.168.0.1/28
    message_size_limit = 10485760
    local_transport = error:No local mail delivery
    mydestination =
    local_recipient_maps =
    virtual_alias_maps = hash:/etc/postfix/virtual
    relayhost = [mail.test.com]
    relay_recipient_maps = hash:/etc/postfix/relay_recipients
    transport_maps = hash:/etc/postfix/transport
    relay_domains = hash:/etc/postfix/relay_domains
    recipient_delimiter =
    smtpd_sasl_auth_enable = yes
    smtpd_helo_required = yes
    broken_sasl_auth_clients = yes
    smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, permit_sasl_authenticated
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, permit_sasl_authenticated
    smtpd_data_restrictions = reject_unauth_pipelining
    header_checks = pcre:/etc/postfix/header_checks
    body_checks = pcre:/etc/postfix/body_checks
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
     
    Last edited: Feb 6, 2007
  2. AlxRogan

    AlxRogan New Member

    Think I fixed it

    Sorry for the poor form in replying to my own post, but I think I got it working, and in case someone else can use it, here it is.

    http://stoilis.blogspot.com/2005/09/postfix-smtp-authentication-against.html I used this page to configure saslauthd to do IMAP authentication against the internal mail server. I also removed the relayhost directive in the main.cf.

    http://www.postfix.org/SASL_README.html then I did some checking against the Postfix documentation and enabled the Sasl for the right recepients.

    Below is the main.cf that seems to work. Only authenticated users can send mail outside the domain, everyone else can send mail to the proper domain.

    [email protected]:/etc/postfix# cat main.cf
    smtpd_banner = $myhostname ESMTP $mail_name
    alias_maps = hash:/etc/aliases
    myorigin = test.com
    myhostname = gw.test.com
    mynetworks = 127.0.0.0/8, 192.168.0.0/24
    message_size_limit = 10485760
    local_transport = error:No local mail delivery
    mydestination =
    local_recipient_maps =
    virtual_alias_maps = hash:/etc/postfix/virtual
    relayhost =
    relay_recipient_maps = hash:/etc/postfix/relay_recipients
    transport_maps = hash:/etc/postfix/transport
    relay_domains = hash:/etc/postfix/relay_domains
    recipient_delimiter =
    smtpd_sasl_auth_enable = yes
    smtpd_helo_required = yes
    broken_sasl_auth_clients = yes
    smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
    smtpd_data_restrictions = reject_unauth_pipelining
    header_checks = pcre:/etc/postfix/header_checks
    body_checks = pcre:/etc/postfix/body_checks
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom

    Anyway, thanks again for the great work and apologies for the clutter.

    Alx
     

Share This Page