Hi,
In these notes I will share, what I learned in getting SASL SMTP authentication to work on a Debian Lenny server with Virtualmin GPL. This is probably quite obvious to experienced Postfix users - it wasn't so obvious to me when I expected to just configure it through the Webmin/Virtualmin UI alone, without having to fix the config files manually.
Purpose: Allow logins from any IP via SMTP authentication using TSL with clients such as Thunderbird for sending mail via SMTP.
Settings in Webmin -> Postfix Mail Server -> SMTP Authentication And Encryption:
SMTP relaying restrictions [x] Allow connections from same network Allow connections from this system Reject clients with no reverse hostname [x] Allow authenticated clients Reject email to other domains Allow only relay domains Allow domains this system is a backup MX for Enable SASL SMTP authentication? [x] Yes Handle non-compliant SMTP clients? [x] Yes SMTP security options [x] Reject anonymous logins Reject plain-text logins SMTP relaying restrictions [x] Allow connections from same network Allow connections from this system Reject clients with no reverse hostname [x] Allow authenticated clients Reject email to other domains Allow only relay domains Allow domains this system is a backup MX for Delay clients with failed logins? [x] Yes Enable TLS encryption? [x] Yes TLS certificate file [x] /etc/ssl/certs/ssl-cert-snakeoil.pem TLS private key file [x] /etc/ssl/private/ssl-cert-snakeoil.key TLS certificate authority file [x] NoneSupposedly these settings should work, but they will produce the following error: Jun 6 17:38:04 mydomain postfix/smtpd[13534]: fatal: parameter "smtpd_recipient_restrictions": specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit Jun 6 17:38:05 mydomain postfix/master[5703]: warning: process /usr/lib/postfix/smtpd pid 13534 exit status 1
Therefore, any attempted logins with an SMTP client like Thunderbird will fail.
The postfix configuration file main.cf did not have any of these options specified: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit
In /etc/postfix/main.cf we find: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
Changing this to: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject
...will achieve the following: permit_mynetworks: basically allows localhost like Usermin to send mail permit_sasl_authenticated: permits users from any IP, as long as they are authenticated to send mail reject: will reject all others and keep postfix happy (this needs to be the last option on the line)
Rememeber to reload the configuration: /etc/init.d/postfix reload
The added 'reject' at the end will not be parsed by Webmin and will end up in the wrong location, if you change any of the settings in 'SMTP relaying restrictions' in 'SMTP Authentication And Encryption'. Alternatively the same settings can be accessed from Webmin -> Postfix Mail Server -> SMTP Server Options -> Restrictions on recipient addresses. I wonder, why the same settings appear in two places.
As there is probably more than one way to get this working and to combine these options, please let me know, if there are easier or better ways to set this up in Webmin/Virtualmin.
Christian
Links: http://www.postfix.org/SASL_README.html http://www.postfix.org/postconf.5.html<br><br>Post edited by: chriswayg, at: 2009/06/06 08:09
I had the same error. Adding your reject works, but I know that it isn't best, initial solution.
I check postfix manual at http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions Everything is clearly defined there. Default parameters are:
permit_mynetworks, reject_unauth_destinationThere is important annotation that:IMPORTANT: If you change this parameter setting, you must specify at least one of the following restrictions. Otherwise Postfix will refuse to receive mail: reject, defer, defer_if_permit, reject_unauth_destinationYours parameters are:
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticatedAs You can see You didn't use one of restrictions from annotation.I check initial config on my fresh Debian 5.0 Lenny + Virtulamin SOLUTION:
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destinationthanks for 'reject_unauth_destination', helped me!