Postfix, xoauth and plain different depending on user.

[YGGrAGcTtp]

Thanks for you great work!

I got this working nicely using Office365, however I have some accounts which need to use xoauth2 while others still need to use plain authentication.

Is there a way in Postfix to using sasl-xoauth2 for single users only, while others keep using PLAIN authentication?

Kind Regerds,

Ek

[tarickb]

I'm not sure I entirely understand what you mean by "users" in this context. Are you trying to configure different relay hosts in Postfix, some of which require XOAUTH2 (like Outlook) and some that don't support it? In principle this should "just work" if you set smtp_sasl_mechanism_filter correctly (see the README) because Postfix will fall back to another auth mechanism if XOAUTH2 isn't supported by the server.

Would you be open to sharing the config files for what you've tried so far (with sensitive parts redacted of course)?

[YGGrAGcTtp]

Many thanks for you response and sorry, hard to use the correct terminology :) . The challenge I have is to support 2 relays to office365, 1 using xoauth2 another using plain authentication.

Snippet of relevant main.cf code. xoauth2 currently disabled:

`smtpd_client_restrictions = check_client_access hash:/etc/postfix/access

sender_dependent_default_transport_maps = hash:/etc/postfix/relay_by_sender

smtp_tls_security_level = may smtp_tls_CAfile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sasl_mechanism_filter = !xoauth2, static:rest smtp_sender_dependent_authentication = yes`

relay_by_sender: @domaina.com smtp:[a.domain.com] @domainb.com smtp:[b-out.mailcontrol.com] @domainc.com smtp:[externalrelay.something.com]:587 mail@domainx.com smtp:[smtp.office365.com]:587 firstname@lastname.com smtp:[smtp.office365.com]:587

sasl_passwd: mail@domainx.com mail@domainx.com:adfasfxcvdafdfzxv [smtp.office365.com]:587 firstname@lastname.com firstname@lastname.com:/etc/tokens/firstname@lastname.com

If I enable xoauth2, the account mail@domainx.com is also attempted to do authentication using xoauth2. This is causing a failure for that account.

I was hoping there to be an option to explicitly set authentication methode for a "relay"-entry.

Ideally I would configure all relay accounts to use xoauth2, unfortunately not all are under my control :( .

Please let me know if anything is unclear!

[tarickb]

Thanks for the clarification -- I think I understand what you're trying to do now. I poked around the Postfix and Cyrus SASL codebases to try to figure out if there's a way for a SASL plugin (like sasl-xoauth2) to indicate that it's incapable of authenticating with a server after it's been selected by the mail server as the best choice. I figured I could leverage that to then tweak the plugin to sometimes have it give up early so that Postfix would fall back to PLAIN or whatever. Unfortunately, it looks like that's not possible.

[YGGrAGcTtp]

Many thanks for looking into this, much appreciated. I kinda came to the same conclusion unfortunately.