Summary: Configuring two accounts for the same SMTP host in Relay in Applications > Email app results in error sending because of wrong authentication.
Affected products: NethServer 7.7 with nethserver-mail-smarthost package version 2.7.3-1 and up
Steps to reproduce:
1 - Go in the Cockpit interface and open Applications > Email > Configuration;
2 - Reach “Relay” section, then click “New Relay Host”;
3 - Insert a valid sender, then the configuration for a certain SMTP server (e.g. gmail.com), then validate the account (validation is OK; sender address is for example aaa@example.com);
4 - Insert another valid sender, then the configuration for the same SMTP server as the step before, then validate the account (validation is OK; sender address is for example bbb@example.com);
5 - Try to compose an email from the identity corresponding to the address which is the last between the ones configured in steps 3 and 4 in alphabetical order (in our examples, try to send an email with sender address bbb@example.com);
6 - You will receive an authentication error, based on the fact that the mailserver tried to authenticated with aaa@example.com credentials instead of the ones for bbb@example.com.
Expected results: Sending an email from bbb@example.com should authenticate to the SMTP server with bbb@example.com credentials.
Analysis: The actual implementation populates a sender_dependent_relayhost_map in the correct way, but populates the related smtp_sasl_password_maps hash file writing authentication informations based on the SMTP server; continuing our example:
[smtp.gmail.com]:587 aaa@example.com:mypassword
[smtp.gmail.com]:587 bbb@example.com:mypassword
During mail sending, this file is consulted but only the first instance is evaluated and used as authentication parameters for all the connections targeting smtp.gmail.com.
Proposed solution: making use of the Postfix smtp_sender_dependent_authentication configuration directive and a different format for smtp_sasl_password_maps hash file, we are able to authenticate correctly the account on the destination server. The smtp_sasl_password_maps hash file will look like:
aaa@example.com aaa@example.com:mypassword
bbb@example.com bbb@example.com:mypassword
This also requires the smtp_sender_dependent_authentication = yes inside /etc/postfix/main.cf.
Below proposed patches to a couple of templates inside nethserver-mail-smarthost package:
--- 10smarthost_password_sender.old 2019-10-23 18:38:17.237735229 +0200
+++ 10smarthost_password_sender 2019-10-23 18:39:16.612815792 +0200
@@ -6,10 +6,11 @@
$OUT='';
foreach ($db->get_all_by_prop('status' => 'enabled')) {
+ my $sender = $_->key();
my $username = $_->prop('Username') || '';
my $password = $_->prop('Password') || '';
if($username || $password) {
- $OUT .= sprintf("[%s]:%s\t\t%s:%s\n", $_->prop('Host'), $_->prop('Port'), $username, $password);
+ $OUT .= sprintf("%s\t\t%s:%s\n", $sender, $username, $password);
}
}
--- 40smarthost_sender.old 2019-10-23 18:51:34.350736926 +0200
+++ 40smarthost_sender 2019-10-23 18:53:59.413914549 +0200
@@ -8,6 +8,7 @@
my @records = $db->get_all_by_prop('status' => 'enabled');
if (scalar @records > 0) {
+ $OUT .= "smtp_sender_dependent_authentication = yes\n";
$OUT .= "sender_dependent_relayhost_maps = hash:/etc/postfix/sender_smarthost\n";
} else {
$OUT .= "# sender_dependent_relayhost_maps disabled\n";