On Monday 06 Jun 2011, Rony wrote:
On 06/06/2011 10:14 AM, Raj Mathur (राज माथुर) wrote:
On Monday 06 Jun 2011, Rony wrote:
[snip] However, why is the ISP allowing this unknown user which postfix is relaying when I have everything set in the smtp_auth_ part of postfix? Suppose there is a flaw in my settings, shouldn't the ISP's mail server reject those mails when the username and password do not match with their list? That user has been deleted from their server.
Because the ISP is relaying based on the authentication your server provides (which could be IP or login based),
I don't have any IP based auth. only username and password. The ex-user's name and password are deleted so which credentials are used for auth.? What I found from the docs is that if the sender client is in the 'mynetworks' parameter, they can send without authentication unless the smtpd_auth is enabled and user names and passwords are set using saslauthd or sasld. For relay to the remote server, postfix only needs smtp_auth and a text based list of users/passwords which I use. What puzzles me is that even if postfix relays the message to the ISP smtp, shouldn't the security of the ISP reject the message as that user does not exist? Tomorrow, anyone will set up an smtp server using postfix without knowing any passwords and send mails as a fake user via the ISP's smtp.
I believe you're confused between auth on your server and auth to the ISP. Auth on your server we can afford to ignore -- you've clearly said it's IP based, and that's the end of it.
On the other hand, it's highly unlikely that your server will be authenticating to the ISP as a different user for each sender. Typically mail servers use one identity to talk to other mail servers. Your ISP would be letting your server relay through it on one of the following conditions:
- Your server IP is in the list of IPs that are allowed to relay through the ISPs server.
- Your server is authenticating to the ISP's server using an auth login and password that the ISP has provided. Note: the ISP would have provided this.
- Your server is authenticating to the ISP's server using a certificate provided by the ISP (or at least one you have mutually agreed to use).
- Your server is using a different auth login and password to login to the ISP's server, depending on each mail's sender.
There are other methods possible, but these are the most likely; out of these, the likeliest is the first -- your ISP allows any IP from their network to relay through their mail server.
The last one method above (which you seem to be thinking is what is happening, based on your mails) is a pretty bizarre setup, and would require serious customisation at your end. Have you done that customisation? If not, please review the exact auth mechanism by which your ISP is allowing your server to relay mails through it.
Regards,
-- Raj