docker-postfix icon indicating copy to clipboard operation
docker-postfix copied to clipboard
verified publisher icon panubo

SMTPD_USERS not working

Open Jono007 opened this issue 2 years ago • 4 comments

Either I am confused about how this is supposed to work, or it is not working. When I enter a value for SMTPD_USERS (e.g. notblank:notblank ), I can still submit emails to postfix without any credentials and they are accepted and relayed. Is that expected behavior? Here are the relevant log entries:

postfix >> Setting smtpd sasl auth postfix >> Adding user SASL user: notblank Jul 19 06:06:22 saslpasswd2: error deleting entry from sasldb: BDB0073 DB_NOTFOUND: No matching key/data pair found Jul 19 06:06:22 saslpasswd2: error deleting entry from sasldb: BDB0073 DB_NOTFOUND: No matching key/data pair found Jul 19 06:06:22 saslpasswd2: error deleting entry from sasldb: BDB0073 DB_NOTFOUND: No matching key/data pair found Jul 19 06:06:22 saslpasswd2: DIGEST-MD5 common mech free smtp >> Info: "saslpasswd2: error deleting entry from sasldb: BDB0073 DB_NOTFOUND: No matching key/data pair found" can be ignored see https://github.com/cyrusimap/cyrus-sasl/issues/264

Jono007 avatar Jul 19 '23 06:07 Jono007

I second this.

valentinomariotto avatar Jul 10 '25 10:07 valentinomariotto

I found that this feature has other issues.

Let's say we set up: MAILNAME='relay.domain.org' SMTPD_USERS=bob:secret

When I authenticate with bob, this is what I always see in the container output:

Jul 10 12:14:55 relay-core postfix/smtpd[2064]: connect from unknown[192.168.2.2]
Jul 10 12:14:55 relay-core postfix/smtpd[2064]: warning: unknown[192.168.2.2]: SASL ntlm authentication failed: authentication failure, [email protected]

Of course, I try to log in with [email protected], it still fails.

Then, if the client is a powershell script, it still sends despite the authentication error. I suppose this is the expected behavior when using MY_NETWORKS? But if the client is a printer, it does not send, even though it's sending from a network listed in MY_NETWORKS. So what gives?

And as OP said, if I just omit the credentials, it always sends. Expected behavior?

I'm using plain passwords in SMTPD_USERS. I tried to play around with smtpd_sasl_mechanism_filter, but I can't get it to work. Authentication always fails.

valentinomariotto avatar Jul 10 '25 10:07 valentinomariotto

@Jono007 I suppose that setting: smtpd_sender_restrictions = reject_unauthenticated_sender_login_mismatch should prevent unauthenticated users from sending (I did not test this)

ref: https://bobcares.com/blog/postfix-smtpd_sender_restrictions/

valentinomariotto avatar Jul 11 '25 13:07 valentinomariotto

From the docs

Client authentication is used to authenticate relay clients. Client authentication can be used in conjunction with, or as an alternative to MYNETWORKS.

How are you configuring the container?

macropin avatar Nov 05 '25 05:11 macropin