I have a functioning postfix server that uses
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
I am trying to put this behind a LB. When I telnet or openssl to the virtual IP in my LB I can EHLO and STARTTLS and exchange my user/pw. My SASL authentication uses the local logins. So, I know that I can get through the LB to the postfix relay server.
When I send an email to the virtual IP, it fails permit_sasl_authenticated.
I think the email request is establishing a proper TLS tunnel. I see log info indicating such:
Nov 10 14:07:43 postfixserver1 postfix/smtp/smtpd[4793]: SSL_accept:SSLv3/TLS write finished
Nov 10 14:07:43 postfixserver1 postfix/smtp/smtpd[4793]: Anonymous TLS connection established from lb2-float.mgmt.domain.edu[IP here]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
I also see a EHLO from the email client, however, that may be the load balancer passing off the EHLO to the postfix server.
Then it starts recipient restrictions and I get this:
Nov 10 14:07:43 postfixserver1 postfix/smtp/smtpd[4793]: >>> START Recipient address RESTRICTIONS <<<
Nov 10 14:07:43 postfixserver1 postfix/smtp/smtpd[4793]: generic_checks: name=permit_sasl_authenticated
Nov 10 14:07:43 postfixserver1 postfix/smtp/smtpd[4793]: generic_checks: name=permit_sasl_authenticated status=0
Nov 10 14:07:43 postfixserver1 postfix/smtp/smtpd[4793]: generic_checks: name=permit_mynetworks
Why does it not pass permit_sasl_authenitcated when it comes through the LB?
I want sasl_authentication first to authenticate based on user/password, then fallback to permit_mynetworks.
By the way, if I put the LB IP in mynetworks list, permit_mynetworks passes. However, I want sasl_authenticated to take priority.
Is there another postfix configuration I need to set, something about inet_interfaces, even though I have inet_interfaces = all.
Thanks in advance for any suggestions.
