SASL-authorized users cannot relay email (Linux, postfix, opensuse leap 42,3)

alavarre · February 28, 2018, 4:17am

How to authorize a SASL authenticated user to relay mail under Linux postfix smtpd (opensuse leap 42.3)?

Thank you for this forum… Deta

We have two validated users for the mail server: **alavarre@mydomain.com** and **andy@mydomain.com**.
•     Each ils belowcan receive mail (postfix → dovecot).
•     Each can send mail to the other (postfix → smtpd).
•     Neither can send mail outside of the home domain (relay).
We  have enabled STARTTLS and it is working.
We have checked *main.cf*, in particular the *[smtpd restrictions](https://forums.opensuse.org/up--Steps--5._Mail_server--Postfix--Lessons_Learned--Recipient_address_rejected_Server_configuration_problem--main.cf--smtpd_restrictions.html)*. 
    We understand that we can enable relay from **mynetworks**
    We do not want to add all the possible external IP addresses to **mynetworks**:
        rather would prefer to rely upon the user being authenticated on login by SASL. 
        *If he can log in to send mail within the domain he should likewise be authorized to relay traffic.*

The message returned to the client (evolution) is
**Recipient address rejected: Server configuration problem **
We try a manual login using both telnet and openssl.
These succeed, showing starttls is working and the users are SASL-accepted and can send mail within the domain.
Connecting shows the certificate and TLS parameters.
ehlo and mail from succeed:
mail from:<andy@privustech.com>
250 2.1.0 Ok
rcpt to: fails
rcpt to:<alavarre@lavarre.org>
554 5.7.1 <alavarre@lavarre.org>: Relay access denied

We have checked *[main.cf](https://forums.opensuse.org/Develop--Server--Setup--Steps--5._Mail_server--Postfix--Lessons_Learned--Recipient_address_rejected_Server_configuration_problem--main.cf.html)* and find nothing wrong.
    In particular, we have checked the *[smtpd restrictions](https://forums.opensuse.org/up--Steps--5._Mail_server--Postfix--Lessons_Learned--Recipient_address_rejected_Server_configuration_problem--main.cf--smtpd_restrictions.html)* and they appear to be in order:smtpd_client_restrictions = 
smtpd_helo_restrictions = 
smtpd_sender_restrictions = 
smtpd_recipient_restrictions = 
smtpd_relay_restrictions =

[INDENT=2]permit_mynetworks
            permit_sasl_authenticated
            reject_unauth_destination
    [/INDENT]
smtp_sasl_auth_enable = yes

The last is most important, since we don't want to add all the possible external IP addresses to ***mynetworks***, rather rely upon the user being authenticated on login by SASL. If he can log in to send mail within the domain he should likewise be authorized to relay traffic.

alavarre · February 28, 2018, 6:28pm

Well, hello: checked /var/log/mail: unable to find saslauthd:

It was Disabled and Stopped! So Enabled and Start:
Now it works!

So end of drill.

The good news is I spent about six hours retweaking main.cf, making sure it is correct, and really getting to know my machine better…

Thanks gain for the forum. Case closed.