Join Log in
Score:0
avatar Server

Postfix: Disable SMTP Authentication for specific email addresses?

kr flag
MrFent

I've got a server running postfix, in my main.cf, I'm using

smtp_sasl_auth_enable = yes
smtp_sender_dependent_authentication = yes

I've got about 30 different email addresses (different domains, mostly Gsuite), and everything is working great. My problem is that some of my clients are constantly changing their email password, causing emails sent from their website to get stuck in the mail queue, because:

"SASL authentication failed... Username and Password not accepted."

So then I have to track down that client and ask them what their new password is, so that I can update my /etc/postfix/sasl_passwd file. So I'm trying to see if there is a way to specify a list of email addresses that will automatically bypass the smtp auth, and just let the server send the email using my DNS settings. I've scoured the internet and gone down many different rabbit holes to find the answer, but either I'm not asking the right question, or I'm not understanding some of the solutions that I find. Please help!

0.0.0.0:smtp inet n      -       y       -       -       smtpd
pickup     unix  n       -       y       60      1       pickup
cleanup    unix  n       -       y       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       -       trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       y       -       -       smtp
relay      unix  -       -       y       -       -       smtp
    -o syslog_name=postfix/$service_name
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       y       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache
postlog    unix-dgram n  -       n       -       1       postlogd
maildrop   unix  -       n       n       -       -       pipe flags=DRhu
    user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       -       pipe flags=Fqhu
    user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F user=ftn
    argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq.
    user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2       pipe flags=R
    user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
    ${user} ${extension}
mailman    unix  -       n       n       -       -       pipe flags=FR
    user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
    ${user}

mail log entry:

Jan 11 17:37:17 MrFent postfix/smtp[15778]: D19FB4141A: to=<[email protected]>, relay=smtp.gmail.com[74.125.192.109]:587, delay=25752, delays=25752/0.02/0.39/0, dsn=4.7.8, status=deferred (SASL authentication failed; server smtp.gmail.com[74.125.192.109] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8  https://support.google.com/mail/?p=BadCredentials i7sm7380395qkn.0 - gsmtp)
Jan 11 18:07:34 MrFent postfix/pickup[15527]: 18A294141B: uid=1009 from=<[email protected]>
Jan 11 18:07:34 MrFent postfix/trivial-rewrite[16672]: warning: database /etc/postfix/sender_relay.db is older than source file /etc/postfix/sender_relay
Jan 11 18:07:34 MrFent postfix/cleanup[16671]: 18A294141B: message-id=<[email protected]>
Jan 11 18:07:34 MrFent postfix/qmgr[2009]: 18A294141B: from=<[email protected]>, size=3935, nrcpt=1 (queue active)
Jan 11 18:07:35 MrFent postfix/smtp[16673]: 18A294141B: to=<[email protected]>, relay=smtp.gmail.com[74.125.192.109]:587, delay=1.1, delays=0.02/0.02/0.31/0.76, dsn=2.0.0, status=sent (250 2.0.0 OK  1641924455 c25sm7316454qkp.31 - gsmtp)
Jan 11 18:07:35 MrFent postfix/qmgr[2009]: 18A294141B: removed
Jan 11 18:47:17 MrFent postfix/qmgr[2009]: D19FB4141A: from=<[email protected]>, size=950, nrcpt=1 (queue active)
Jan 11 18:47:17 MrFent postfix/trivial-rewrite[17120]: warning: database /etc/postfix/sender_relay.db is older than source file /etc/postfix/sender_relay
Jan 11 18:47:18 MrFent postfix/smtp[17121]: D19FB4141A: to=<[email protected]>, relay=smtp.gmail.com[173.194.175.109]:587, delay=29953, delays=29953/0.02/0.4/0, dsn=4.7.8, status=deferred (SASL authentication failed; server smtp.gmail.com[173.194.175.109] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8  https://support.google.com/mail/?p=BadCredentials w12sm2876670qtj.64 - gsmtp)
107
0 + 0
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Your clients? `smtp_sasl_auth_enable` (and all other `smtp_*` variables) configure Postfix's smtp *client*, not a server. It sets how *your server* authenticates when it talks to other servers being itself a client. The behaviour as a server is configured with `smtpd_*` variables. So, please, provide a complete `postconf -Mf` output and a *complete* relevant log file records into the question.
1
Reply
kr flag
MrFent
When I say clients, I'm talking about people who have websites that I am hosting on the same server. I just need to know if there's a way to use SMTP authentication for some of them but not for others.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Good, but this is not all what I asked for. You showed `master.cf` (that's good), but I need an actual configuration; please, run `postconf -Mf` and post whatever it output. From your log I see also warning about `sender_relay` database; you had updated Postfix database file but forgot to run `postmap` for it to recreate its binary-encoded copy.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Also, *if there's a way to use SMTP authentication for some of them but not for others* — there is a way, but **don't do that. It's a very bad thing**. Always require everybody to be authenticated to you. Always authenticate. Don't trust.
0
Reply
kr flag
MrFent
I really appreciate your help. I did run postconf -Mf and that is exactly what the output was. Is there another command that will produce what you're looking for?I understand what you are saying about always needing to authenticate, but the entire point of this ticket is to have an exception where I don't do that. If you know how, please let me know. Thanks.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.