Sender dependent authentication

[jamenlang]

I was looking for a way to set up something like this https://gist.github.com/zmwangx/2c56aa32be68daf48c2f

I'd like to set up one relay server with multiple accounts defined in sasl_passwd (and /etc/tokens) and have the messages send out of the correct account when it comes in.

I tried it like it's outlined in that document, the catchall account [smtp.gmail.com]:587 works every time, but if the sender matches above that line then I get

SASL authentication failure: no worthy mechs found , then SASL authentication failed; cannot authenticate to server smtp.gmail.com[173.194.196.108]: no mechanism available

[tarickb]

Can you share the contents of your config files (with email addresses, etc. redacted)?

[jamenlang]

/etc/postfix/main.cfg

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_tls_security_level=may
smtpd_use_tls=yes
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_use_tls=yes
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_sasl_mechanism_filter = xoauth2
smtp_tls_security_level = encrypt
smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database=btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = relay.city
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = relay.[mylocaldomain], relay, localhost.[mylocaldomain], localhost.localdomain, , localhost
relayhost = 
relay_domains = [mytlddomain]
mynetworks = [mynetwork1] [mynetwork2] 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
myorigin = /etc/mailname

/etc/postfix/sasl_passwd

special_account1@[mytlddomain] special_account1@[mytlddomain]:/etc/tokens/special_account1@[mytlddomain]
special_account2@[mytlddomain] special_account2@[mytlddomain]:/etc/tokens/special_account2@[mytlddomain]

[smtp.gmail.com]:587 generic_account@[mytlddomain]:/etc/tokens/generic_account@[mytlddomain]

/etc/postfix/sender_relay

special_account1@[mytlddomain] [smtp.gmail.com]:587
special_account2@[mytlddomain] [smtp.gmail.com]:587

[tarickb]

I don't see anything obviously wrong in the configs. Do you have logs you can provide?

[jamenlang]

I thought for sure that something would need to be changed to support the user@domain user@domain:path syntax in sasl_passwd.

I'll email the raw syslog entries.

[jamenlang]

I'm happy to report that this does work as intended with correctly formed sasl_xoauth2.conf and some chroot modifications.

adding these here before I forget:

$ sudo mkdir -p /var/spool/postfix/etc/ssl/certs $ sudo cp /etc/ssl/certs/ca-certificates.crt /var/spool/postfix/etc/ssl/certs/ca-certificates.crt

symlinking doesn't seem to work.

[tarickb]

Yeah, symlinking doesn't let you break out of the chroot jail, sadly. I've updated the README with a note on SSL certs and chroot.