The two authentications are independent.
You enable Exim to authenticate on outgoing connections, with a client authenticator. You will need to configure a line in the Exim passwd.client
file for each server you need to authenticate to. The man page for exim_passwd_client
describes the format of the password file.
Incoming authentication is done with a server authenticator. These are likely commented out in the default configuration. The man page for exim_passwd
describes the passwd file. You should consider enabling TLS on the submission port (587) for users to send messages. The following macros at the star of the file should enable incoming authentication.
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
daemon_smtp_ports = 25 : 587
To allow authenticate users to send outgoing mail you will need to accept the connections at certain points. Where your configuration has rule to handle local senders like:
accept
hosts = +relay_from_hosts
control = submission/sender_retain
Add a rule like:
accept
authenticated = *
control = submission/sender_retain
You can use reject_authenticated_sender_login_mismatch
Make users for test
# saslpasswd2 -c -u example.net user1
# saslpasswd2 -c -u example.com user2
# sasldblistusers2
user2@example.com: userPassword
user1@example.net: userPassword
Do some basic tests. As you can see without reject_authenticated_sender_login_mismatch user can use in MAIL FROM whatever he want
# echo "Hello world" | swaks -s 127.0.0.1 --from user1@example.net --to user2@example.com --h-Subject "Test" --auth PLAIN --auth-user user1 --auth-password 1234567 --body -
=== Trying 127.0.0.1:25...
=== Connected to 127.0.0.1.
<- 220 mail.example.net ESMTP Postfix
-> EHLO svn.example.net
<- 250-mail.example.net
<- 250-PIPELINING
<- 250-SIZE 10240000
<- 250-VRFY
<- 250-ETRN
<- 250-AUTH LOGIN PLAIN
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250 DSN
-> AUTH PLAIN AHVzZXIxADEyMzQ1Njc=
<- 235 2.7.0 Authentication successful
-> MAIL FROM:<user1@example.net>
<- 250 2.1.0 Ok
-> RCPT TO:<user2@example.com>
<- 250 2.1.5 Ok
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Thu, 25 Feb 2016 20:53:45 +0000
-> To: user2@example.com
-> From: user1@example.net
-> Subject: Test
-> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
->
-> Hello world
->
->
-> .
<- 250 2.0.0 Ok: queued as E1D3D406CC
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.
# grep E1D3D406CC /var/log/maillog
Feb 25 20:53:45 svn postfix/smtpd[56996]: E1D3D406CC: client=localhost[127.0.0.1], sasl_method=PLAIN, sasl_username=user1@example.net
Feb 25 20:53:45 svn postfix/cleanup[56999]: E1D3D406CC: message-id=<20160225205345.E1D3D406CC@mail.example.net>
Feb 25 20:53:45 svn postfix/qmgr[56990]: E1D3D406CC: from=<user1@example.net>, size=416, nrcpt=1 (queue active)
Feb 25 20:53:45 svn postfix/local[57000]: E1D3D406CC: to=<user2@example.com>, relay=local, delay=0.03, delays=0.02/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
Feb 25 20:53:45 svn postfix/qmgr[56990]: E1D3D406CC: removed
# echo "Hello world" | swaks -s 127.0.0.1 --from non_exist-reply@example.net --to user2@example.com --h-Subject "Test" --auth PLAIN --auth-user user1 --auth-password 1234567 --body -
=== Trying 127.0.0.1:25...
=== Connected to 127.0.0.1.
<- 220 mail.example.net ESMTP Postfix
-> EHLO svn.example.net
<- 250-mail.example.net
<- 250-PIPELINING
<- 250-SIZE 10240000
<- 250-VRFY
<- 250-ETRN
<- 250-AUTH LOGIN PLAIN
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250 DSN
-> AUTH PLAIN AHVzZXIxADEyMzQ1Njc=
<- 235 2.7.0 Authentication successful
-> MAIL FROM:<non_exist_user@example.net>
<- 250 2.1.0 Ok
-> RCPT TO:<user2@example.com>
<- 250 2.1.5 Ok
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Thu, 25 Feb 2016 20:55:13 +0000
-> To: user2@example.com
-> From: non_exist_user@example.net
-> Subject: Test
-> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
->
-> Hello world
->
->
-> .
<- 250 2.0.0 Ok: queued as 94CBF4076C
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.
# grep 94CBF4076C /var/log/maillog
Feb 25 20:55:13 svn postfix/smtpd[56996]: 94CBF4076C: client=localhost[127.0.0.1], sasl_method=PLAIN, sasl_username=user1@example.net
Feb 25 20:55:13 svn postfix/cleanup[56999]: 94CBF4076C: message-id=<20160225205513.94CBF4076C@mail.example.net>
Feb 25 20:55:13 svn postfix/qmgr[56990]: 94CBF4076C: from=<non_exist_user@example.net>, size=424, nrcpt=1 (queue active)
Feb 25 20:55:13 svn postfix/local[57000]: 94CBF4076C: to=<user2@example.com>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Feb 25 20:55:13 svn postfix/qmgr[56990]: 94CBF4076C: removed
But after we have added the following lines
# /etc/postfix/main.cf
smtpd_sender_login_maps = hash:/etc/postfix/sender_logins_maps
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
Do not forget to create map and restart the postfix
# postmap /etc/postfix/sender_logins_maps
# service postfix restart
# cat /etc/postfix/sender_logins_maps
user1@example.net user1@example.net
info@example.net user1@example.net
no-reply@example.net user1@example.net
User can't use anymore whatever he wants
# echo "Hello world" | swaks -s 127.0.0.1 --from non_exit_user@example.net --to user2@example.com --h-Subject "Test" --auth PLAIN --auth-user user1 --auth-password 1234567 --body -
=== Trying 127.0.0.1:25...
=== Connected to 127.0.0.1.
<- 220 mail.example.net ESMTP Postfix
-> EHLO svn.example.net
<- 250-mail.example.net
<- 250-PIPELINING
<- 250-SIZE 10240000
<- 250-VRFY
<- 250-ETRN
<- 250-AUTH LOGIN PLAIN
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250 DSN
-> AUTH PLAIN AHVzZXIxADEyMzQ1Njc=
<- 235 2.7.0 Authentication successful
-> MAIL FROM:<non_exit_user@example.net>
<- 250 2.1.0 Ok
-> RCPT TO:<user2@example.com>
<** 553 5.7.1 <non_exit_user@example.net>: Sender address rejected: not owned by user user1
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.
But with the settings above user1@example.net can use in MAIL FROM only: user1@example.net, info@example.net and no-reply@example.net
# echo "Hello world" | swaks -s 127.0.0.1 --from no-reply@example.net --to user2@example.com --h-Subject "Test" --auth PLAIN --auth-user user1@example.net --auth-password 1234567 --body -
=== Trying 127.0.0.1:25...
=== Connected to 127.0.0.1.
<- 220 mail.example.net ESMTP Postfix
-> EHLO svn.example.net
<- 250-mail.example.net
<- 250-PIPELINING
<- 250-SIZE 10240000
<- 250-VRFY
<- 250-ETRN
<- 250-AUTH LOGIN PLAIN
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250 DSN
-> AUTH PLAIN AHVzZXIxQGV4YW1wbGUubmV0ADEyMzQ1Njc=
<- 235 2.7.0 Authentication successful
-> MAIL FROM:<no-reply@example.net>
<- 250 2.1.0 Ok
-> RCPT TO:<user2@example.com>
<- 250 2.1.5 Ok
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Thu, 25 Feb 2016 23:03:07 +0000
-> To: user2@example.com
-> From: no-reply@example.net
-> Subject: Test
-> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
->
-> Hello world
->
->
-> .
<- 250 2.0.0 Ok: queued as 9FE524068A
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.
# grep 9FE524068A /var/log/maillog
Feb 25 23:03:07 svn postfix/smtpd[19097]: 9FE524068A: client=localhost[127.0.0.1], sasl_method=PLAIN, sasl_username=user1@example.net
Feb 25 23:03:07 svn postfix/cleanup[19100]: 9FE524068A: message-id=<20160225230307.9FE524068A@mail.example.net>
Feb 25 23:03:07 svn postfix/qmgr[19092]: 9FE524068A: from=<no-reply@example.net>, size=419, nrcpt=1 (queue active)
Feb 25 23:03:07 svn postfix/local[19101]: 9FE524068A: to=<user2@example.com>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Feb 25 23:03:07 svn postfix/qmgr[19092]: 9FE524068A: removed
P.S.
a little trick
if don't add any line for some specific user in the /etc/postfix/sender_logins_maps - he will receive an emails but won't send.
I can't seem to run saslauthd. It says command not found. Is that a separate utility? EDIT: Sorry I meant to say testsaslauthd. Neither work
It's just a test. So to quick setup test environment I have choose sasldb. Because I don't have time to setup and configure MySQL. You are using MySQL to store all information about users. And your restrictions described here
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
You should add contents of the mysql_virtual_sender_acl.cf/mysql_virtual_alias_maps.cf (without password of course) to the question
Is there a way to configure Postfix to allow me to send from any address on this one particular domain after authenticating with one account?
in the /etc/postfix/sender_logins_maps you should have something like the following
@example.net user1@example.net
Modify smtpd_sender_login_maps
smtpd_sender_login_maps =
hash:/etc/postfix/sender_logins_maps,
proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
The file /etc/postfix/sender_logins_maps should contain only one line
@example.net user1@example.net
where @example.net - "one particular domain", user1@example.net - "authenticating with one account". It must be sasl_username!
sasl_method=PLAIN, sasl_username=user1@example.net
Don't forget to create map and restart the postfix.
Best Answer
You can fix this by adding a
hosts_require_tls
option with the smarthost in the list to your configuration. This will cause Exim to send the STARTTLS command to establish a TLS connection. However, thehosts_avoid_tls
option may override that setting.You may want to try using port 465 (SSMTP). T It is documented as supported for incoming traffic. It does support for outgoing traffic. I've tested defining a smarthost as
example.com:ssmtp
instead ofexample.com
.