Specify yes to have Postfix also advertise SMTP AUTH in a non-standard way. Brokensaslauthclients = yes. Now we have configured Postfix to enable SASL support, but one last step is still missing. We must tell Postfix that SASL authenticated clients are allowed to relay. So keep your editor on main.cf open. Jan 10, 2014 Greetings, I'm having problem sending email notifications to an SMTP relay with authentication. My email service is Office 365 (Exchange Online) and I.
Posted by2 years ago
Archived
Use postfix to only SEND emails from a CentOS 7 VPS using a external SMTP server?
I have a VPS that has postfix preinstalled.
Lets say I have [email protected]
From CentOS 7, I want to send emails from [email protected] to [email protected] or [email protected], etc. I have no interest in sending 'local mails' to root or any other user. I do not want to recieve any mail either.
I attemped this https://www.linode.com/docs/email/postfix/postfix-smtp-debian7 (This is not on Linode or DO but) but since Postfix is preinstalled already, I think I missed something in the configuration.
Can someone help out?
68% Upvoted
Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.
Sign up
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking âSign up for GitHubâ, you agree to our terms of service and privacy statement. Weâll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversationcommented Oct 13, 2016
force-pushed the rajinisivaram:KAFKA-4292 branch from
|
Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/kafka-pr-jdk8-scala2.11/2554/ Test FAILed (JDK 8 and Scala 2.11). |
commented Mar 30, 2017
Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/kafka-pr-jdk7-scala2.10/2556/ Test PASSed (JDK 7 and Scala 2.10). |
commented Mar 30, 2017
Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/kafka-pr-jdk8-scala2.12/2556/ Test PASSed (JDK 8 and Scala 2.12). |
commented Mar 30, 2017
Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/kafka-pr-jdk8-scala2.12/2550/ Test PASSed (JDK 8 and Scala 2.12). |
commented Mar 30, 2017
Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/kafka-pr-jdk7-scala2.10/2550/ Test FAILed (JDK 7 and Scala 2.10). |
commented Mar 30, 2017
Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/kafka-pr-jdk8-scala2.11/2560/ Test FAILed (JDK 8 and Scala 2.11). |
referenced this pull request Apr 11, 2017
OpenKAFKA-5050 add ldap authentication support on PlainSaslServer #2833
force-pushed the rajinisivaram:KAFKA-4292 branch 2 times, most recently from b40d503
to 1d54a0e
Jan 18, 2018
reviewed Jan 25, 2018
.../src/main/java/org/apache/kafka/common/security/scram/DelegationTokenCredentialCallback.java Outdated
} |
/** |
* Returns the delegation token owner if set on this instance. F |
Jan 25, 2018
clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java Outdated
@@ -51,6 +51,12 @@ | |
+'JAAS configuration file format is described <a href='http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html'>here</a>. ' | |
+'The format for the value is: '<loginModuleClass> <controlFlag> (<optionName>=<optionValue>)*;''; | |
publicstaticfinalStringSASL_CLIENT_CALLBACK_HANDLER_CLASS='sasl.client.callback.handler.class'; | |
publicstaticfinalStringSASL_CLIENT_CALLBACK_HANDLER_CLASS_DOC='A Sasl client callback handler class that implements the AuthenticateCallbackHandler interface.'; |
Jan 25, 2018
nit: Similar to the other sasl config descriptions., we can use 'SASL' Acronym in descriptions.
clients/src/main/java/org/apache/kafka/common/config/internals/BrokerSecurityConfigs.java Outdated
@@ -67,4 +68,9 @@ | |
+'Only GSSAPI is enabled by default.'; | |
publicstaticfinalList<String>DEFAULT_SASL_ENABLED_MECHANISMS=Collections.singletonList(SaslConfigs.GSSAPI_MECHANISM); | |
publicstaticfinalStringSASL_SERVER_CALLBACK_HANDLER_CLASS_MAP_DOC='A map between Sasl mechanisms and Sasl server '+ | |
'callback handler classes that implement the AuthenticateCallbackHandler interface. Key and value are '+ |
Jan 25, 2018
force-pushed the rajinisivaram:KAFKA-4292 branch from 1d54a0e
to 27ffbc7
Jan 26, 2018
commented Jan 26, 2018
@junrao Do you have time to review this PR? Thank you!
|
clients/src/main/java/org/apache/kafka/common/config/internals/BrokerSecurityConfigs.java Outdated
publicstaticfinalStringSASL_SERVER_CALLBACK_HANDLER_CLASS_MAP_DOC='A map between SASL mechanisms and SASL server '+ |
'callback handler classes that implement the AuthenticateCallbackHandler interface. Key and value are '+ |
'separated by a colon and map entries are separated by commas. For example, '+ |
''PLAIN=CustomPlainCallbackHandler,SCRAM-SHA-256=CustomScramCallbackHandler'.'; |
Jan 27, 2018â¢
Example should use ':' instead of '=': PLAIN:CustomPlainCallbackHandler,SCRAM-SHA-256:CustomScramCallbackHandler
It also might be good to somehow include an indication that the values are fully-qualified class names ('A map between SASL mechanisms and fully-qualified SASL server callback handler class names', or 'org.mypackage.CustomPlainCalbackHandler')
clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java Outdated
String className = callbackClassMap.get(mechanism); |
if (className !=null) |
callbackHandler =Utils.newInstance(className, AuthenticateCallbackHandler.class); |
elseif (mechanism.equals(PlainSaslServer.PLAIN_MECHANISM)) |
Jan 27, 2018
Would it ever be acceptable to use the config map to override the callback handlers for the built-in mechanism implementations (GSSAPI, PLAIN, and the two SCRAM-related ones)? If so then the code is fine, but if not then the built-in mechanism names should be explicitly checked for first. Same goes for the client side checks above.
Jan 29, 2018
@rondagostino Thanks for the review. Yes, it is acceptable to override callback handlers for built-in mechanisms. One of the motivations for the KIP is to enable customization of built-in mechanisms to integrate with existing authentication servers (e.g. use an existing server or database to verify passwords for PLAIN).
clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java Outdated
@@ -222,4 +268,30 @@ private static String defaultKerberosRealm() throws ClassNotFoundException, NoSu | |
getDefaultRealmMethod = classRef.getDeclaredMethod('getDefaultRealm', newClass[0]); | |
return (String) getDefaultRealmMethod.invoke(kerbConf, newObject[0]); | |
} | |
privatevoidcreateClientCallbackHandler(Map<String, ?>configs, Stringmechanism) { | |
Class<? extends AuthenticateCallbackHandler> clazz = (Class<? extends AuthenticateCallbackHandler>) configs.get(SaslConfigs.SASL_CLIENT_CALLBACK_HANDLER_CLASS); |
Jan 27, 2018
See comment below about the order of built-in mechanisms vs. non-built-in ones.
Jan 29, 2018
Same as before, callback handlers can be overridden for built-in mechanisms too.
force-pushed the rajinisivaram:KAFKA-4292 branch from 792e52d
to 97f5c9b
Jan 29, 2018
force-pushed the rajinisivaram:KAFKA-4292 branch from 97f5c9b
to 3301fd0
Feb 5, 2018
commented Feb 5, 2018
Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/kafka-pr-test-coverage/333/ |
force-pushed the rajinisivaram:KAFKA-4292 branch from 3301fd0
to 0394612
Feb 7, 2018
force-pushed the rajinisivaram:KAFKA-4292 branch 2 times, most recently from bdf84b9
to 84d14ef
Feb 22, 2018
clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java Outdated
JaasContext.TypecontextType, |
StringsaslMechanism, |
Class<? extends Login>defaultLoginClass) { |
String prefix = contextType JaasContext.Type.SERVER?ListenerName.saslMechanismPrefix(saslMechanism) :''; |
Mar 22, 2018
From
SaslConfigs#SASL_LOGIN_CLASS_DOC
:
For brokers, login config must be prefixed with listener prefix and SASL mechanism name in lower-case. For example, listener.name.sasl_ssl.scram-sha-256.sasl.login.class=com.example.CustomScramLogin
This code is only using the SASL mechanism name in lower-case as the prefix. Assuming this observation is in fact a problem, I think it raises a broader issue, which is that the listener (
SASL_SSL
vs. SASL_PLAIN
) is not known at this point in the code (or at least it isn't readily available).
Mar 22, 2018
Listener prefix is removed from the config name before it gets here. This code will find
scram-sha-256.sasl.login.class
in configs
only if it was prefixed with the listener name that this method is being invoked for. It is the same with callback handlers too.
Mar 23, 2018
Ok, so no problem in the code at this point. This behavior -- stripping the listener prefix off before passing the config map to the code when it runs for a particular listener -- probably warrants documentation, but I'm not sure where that documentation should be (or if it exists already and I just haven't seen). Thanks for the clarification.
commented Mar 22, 2018
@rondagostino KIP-86 didnt make login callbacks configurable since we didn't have a mechanism where we needed it. We currently use the same
LoginCallbackHandler for all mechanisms. If we want to use callbacks for OAuth login, I think it will be better to do this with a separate configuration option sasl.login.callback.handler.class rather than reuse the client or server callbacks since these serve different purposes. I can add the option to this PR and update KIP-86 if you agree that it is the right approach for OAuth.
|
commented Mar 23, 2018
@rajinisivaram Ok, I now understand the difference between the two client-side callback handlers. The SASL Client callback handler is supposed to mediate between the SASL Client and the JAAS Login Module -- when the SASL client needs something it should use the SASL Client callback handler to get it rather than going to get it by itself (for example, looking in the Subject's public or private credentials). By using the callback handler like this (as opposed to hard-coding the SASL Client to look somewhere) everything becomes pluggable. I hadn't been doing that, so I will make that change in the OAuth code. Now that I understand this difference, yes, we do need to be able to configure the Login callback handler. In the OAuth case this callback handler is responsible for providing the OAuthBearerToken. Can you add the
sasl.login.callback.handler.class configuration option as suggested?
|
force-pushed the rajinisivaram:KAFKA-4292 branch from 84d14ef
to 6cd1533
Mar 29, 2018
clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java Outdated
LoginMetadata<?>loginMetadata) throwsIOException, LoginException { |
this.loginMetadata = loginMetadata; |
this.login =Utils.newInstance(loginMetadata.loginClass); |
AuthenticateCallbackHandler callbackHandler =Utils.newInstance(loginMetadata.loginCallbackClass); |
Mar 30, 2018
@rajinisivaram The login callback handler class isn't getting its #configure(Map<String, ?>, String, List) invoked. Perhaps it might be better to treat the login callback handler class the same way the client and server callback handler classes are treated, which is to create/configure them in SaslChannelBuilder? Note that the login callback handler class is potentially used both on the client side and on the server side (it is used on the broker when the mechanism is the inter-broker protocol).
Apr 3, 2018
@rondagostino Thanks for the review. Good catch. Added invocation of
configure
and missing handler in KafkaConfig
. The lifecycle of LoginCallbackHandler
is the same as that of Login
, both managed by LoginManager
. In particular, LoginCallbackHandler/Login
can outlive SaslChannelBuilder
. Hence these instances are created in LoginManager
.
+'that implements the AuthenticateCallbackHandler interface.'; |
publicstaticfinalStringSASL_LOGIN_CALLBACK_HANDLER_CLASS='sasl.login.callback.handler.class'; |
publicstaticfinalStringSASL_LOGIN_CALLBACK_HANDLER_CLASS_DOC='The fully qualified name of a SASL login callback handler class ' |
Mar 30, 2018â¢
I think this documentation should state that 'For brokers, login callback handler config must be prefixed with listener prefix and SASL mechanism name in lower-case' because this is valid to use on both the client-side and the broker side.
reviewed Mar 31, 2018
left a comment
@rajinisivaram : Thanks for the patch. Looks good overall. Just a few minor comments below.
|
clients/src/main/java/org/apache/kafka/common/security/auth/AuthenticateCallbackHandler.java Outdated
* @param saslMechanism Negotiated SASL mechanism |
* @param jaasConfigEntries JAAS configuration entries from the JAAS login context. |
* This list contains a single entry for clients and may contain more than |
* one entry for servers if multiple mechanisms are enabled on a listener. |
Mar 31, 2018
Hmm, in the ChannelBuilder, it seems that we always pass in the entry for one mechanism.
Also, could we add some comments to clarify the difference between configs and jaasConfigEntries? For example, if a key config is present in both, which one takes precedence.
Apr 3, 2018
jaasConfigEntries
can contain multiple entries if using static JAAS config with multiple entries in a single KafkaServer
login context when multiple mechanisms are enabled. Updated the doc to reflect that and also added clarification for configs
and jaasConfigEntries
.
clients/src/main/java/org/apache/kafka/common/security/auth/Login.java Outdated
@@ -32,7 +31,8 @@ | |
/** | |
* Configures this login instance. | |
*/ | |
voidconfigure(Map<String, ?>configs, JaasContextjaasContext); | |
voidconfigure(Map<String, ?>configs, StringcontextName, Configurationconfiguration, | |
AuthenticateCallbackHandlerloginCallbackHandler); |
Mar 31, 2018
It would be useful to add a comment to describe the difference between configs and Configuration.
core/src/main/scala/kafka/admin/ConfigCommand.scala Outdated
@@ -33,6 +33,7 @@ import org.apache.kafka.clients.admin.{AlterConfigsOptions, ConfigEntry, Describ | |
importorg.apache.kafka.common.config.ConfigResource | |
importorg.apache.kafka.common.security.JaasUtils | |
importorg.apache.kafka.common.security.scram._ | |
importorg.apache.kafka.common.security.scram.internal.{ScramCredentialUtils, ScramFormatter, ScramMechanism} |
Mar 31, 2018
The import for org.apache.kafka.common.security.scram._ seems unused now?
clients/src/main/java/org/apache/kafka/common/security/JaasContext.java Outdated
@@ -184,6 +184,14 @@ public Password dynamicJaasConfig() { | |
* If login module name is specified, return option value only from that module. | |
*/ | |
publicStringconfigEntryOption(Stringkey, StringloginModuleName) { | |
return configEntryOption(configurationEntries, key, loginModuleName); |
Mar 31, 2018
core/src/main/scala/kafka/server/KafkaConfig.scala Outdated
@@ -937,6 +944,9 @@ object KafkaConfig { | |
.define(SaslMechanismInterBrokerProtocolProp, STRING, Defaults.SaslMechanismInterBrokerProtocol, MEDIUM, SaslMechanismInterBrokerProtocolDoc) | |
.define(SaslJaasConfigProp, PASSWORD, null, MEDIUM, SaslJaasConfigDoc) | |
.define(SaslEnabledMechanismsProp, LIST, Defaults.SaslEnabledMechanisms, MEDIUM, SaslEnabledMechanismsDoc) | |
.define(SaslServerCallbackHandlerClassProp, STRING, null, MEDIUM, SaslServerCallbackHandlerClassProp) |
Mar 31, 2018
...ts/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.java Outdated
@@ -110,6 +108,7 @@ | |
privatefinalMap<String, ?> configs; | |
privatefinalKafkaPrincipalBuilder principalBuilder; | |
privatefinalDelegationTokenCache tokenCache; | |
privatefinalMap<String, AuthenticateCallbackHandler> callbackHandlers; |
Mar 31, 2018
tokenCache, credentialCache and jaasContexts are no longer used?
clients/src/test/java/org/apache/kafka/common/security/authenticator/SaslAuthenticatorTest.java Outdated
TestServerCallbackHandler.class.getName()); |
server = createEchoServer(securityProtocol); |
jaasConfig.setClientOptions('PLAIN', TestServerCallbackHandler.USERNAME, TestServerCallbackHandler.PASSWORD); |
Mar 31, 2018
These are the configs for the server. So, the name setClientOptions is a bit mis-leading.
Apr 3, 2018
It is setting the client options based on the values used in the server callback. Added a comment to clarify.
clients/src/test/java/org/apache/kafka/common/security/authenticator/SaslAuthenticatorTest.java Outdated
@Test |
publicvoidtestAuthenticateCallbackHandlerMechanisms() throwsException { |
SecurityProtocol securityProtocol =SecurityProtocol.SASL_PLAINTEXT; |
configureMechanisms('DIGEST-MD5', Arrays.asList('DIGEST-MD5', 'PLAIN')); |
Mar 31, 2018
Apr 3, 2018
The test is using two mechanisms with two different callbacks to verify that the right callback is used when there are multiple mechanisms. Added comment and also updated the test to verify both mechanisms.
clients/src/test/java/org/apache/kafka/common/security/authenticator/SaslAuthenticatorTest.java Outdated
String prefix =ListenerName.forSecurityProtocol(securityProtocol).saslMechanismConfigPrefix('PLAIN'); |
saslServerConfigs.put(prefix +SaslConfigs.SASL_LOGIN_CLASS, TestLogin.class.getName()); |
server = createEchoServer(securityProtocol); |
assertEquals(1, TestLogin.loginCount.get()); |
Mar 31, 2018
Hmm, there is no connection yet, why would count be 1?
Apr 3, 2018
login()
is performed when the server channel builder is created, hence the count is one when the server starts even before any clients connect.
core/src/test/scala/integration/kafka/api/SaslPlainSslEndToEndAuthorizationTest.scala Outdated
// This test uses SASL callback handler overrides for server connections of Kafka broker |
// and client connections of Kafka producers and consumers. Client connections of Kafka brokers |
// use default callback handlers. The second client used in the multi-user test |
Mar 31, 2018
'Client connections of Kafka brokers use default callback handlers.' It seems that the clients are using customized callbacks?
Apr 3, 2018
Broker use default client callback handlers for inter-broker communication. Producers/consumers are configured with customized callbacks. Updated the comment.
force-pushed the rajinisivaram:KAFKA-4292 branch from 2bea156
to a8aaa90
Apr 3, 2018
commented Apr 3, 2018
@rondagostino@junrao Thanks for the reviews. I have addressed the comments.
|
approved these changes Apr 3, 2018
left a comment
@rajinisivaram Thanks for the updated patch. LGTM. Just a few minor comments below.
|
clients/src/main/java/org/apache/kafka/common/security/auth/Login.java Outdated
* from `jaasConfiguration`. |
* @param contextName JAAS context name for this login which may be used to obtain |
* the login context from `jaasConfiguration`. |
* @param loginCallbackHandler Login callback handler instance to use for this Login. |
Apr 3, 2018
clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java Outdated
@Override |
publicinthashCode() { |
returnObjects.hash(configInfo, loginClass); |
Apr 3, 2018
Does the hashcode need to include loginCallbackClass ?
core/src/test/scala/integration/kafka/api/SaslPlainSslEndToEndAuthorizationTest.scala Outdated
// This test uses SASL callback handler overrides for server connections of Kafka broker |
// and client connections of Kafka producers and consumers. Client connections from Kafka brokers |
// used for inter-broker communication use default callback handlers. The second client used in |
Apr 3, 2018
We set KafkaConfig.SaslClientCallbackHandlerClassProp in line 106. So, it seems that the broker connection also has a customized callback?
Apr 4, 2018
Sorry, I had missed that earlier, updated the comment.
commented Apr 4, 2018
@junrao Thanks for the review. I have addressed the comments. If there are no other comments, I will merge later on today after the builds complete.
|
commented Apr 5, 2018
@rondagostino@junrao Thanks for the reviews, merging to trunk.
|
merged commit 9f8c316
into apache:trunkApr 5, 2018
2 of 3 checks passed
JDK 8 and Scala 2.12 FAILURE 8770 tests run, 7 skipped, 0 failed.
Details
JDK 7 and Scala 2.11 SUCCESS 8770 tests run, 7 skipped, 0 failed.
Details
JDK 9 and Scala 2.12 SUCCESS 8770 tests run, 7 skipped, 0 failed.
Details
added a commit to jcustenborder/kafka that referenced this pull request May 16, 2018
added a commit to umesh9794/kafka that referenced this pull request Jun 5, 2018
pushed a commit to ying-zheng/kafka that referenced this pull request Jul 6, 2018
added a commit to sunbit-dev/kafka that referenced this pull request Nov 6, 2018
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.
Comments are closed.
Author
Write something about yourself. No need to be fancy, just an overview.