Loading ...
Sorry, an error occurred while loading the content.

275958Configuring TLS with sender login maps

Expand Messages
  • Alex
    Apr 1, 2011
    • 0 Attachment
      Hi,
      I have a fedora14 box that I'm trying to configure for use with
      postfix with dovecot and TLS, permitting only TLS connections after
      authenticating with sasl. It appears to mostly be working now, but
      mail is rejected due to "not owned by user" errors.

      Apr 2 01:03:53 fc14 postfix/smtpd[10284]: initializing the
      server-side TLS engine
      Apr 2 01:03:53 fc14 postfix/tlsmgr[10286]: open smtpd TLS cache
      btree:/var/lib/postfix/smtpd_tls_session_cache
      Apr 2 01:03:53 fc14 postfix/tlsmgr[10286]: tlsmgr_cache_run_event:
      start TLS smtpd session cache cleanup
      Apr 2 01:03:53 fc14 postfix/smtpd[10284]: connect from unknown[184.XXX.XX.223]
      Apr 2 01:03:53 fc14 postfix/smtpd[10284]: setting up TLS connection
      from unknown[184.XXX.XX.223]
      Apr 2 01:03:53 fc14 postfix/smtpd[10284]: unknown[184.XXX.XX.223]:
      TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
      ...
      Apr 2 01:03:54 fc14 postfix/smtpd[10284]: Anonymous TLS connection
      established from unknown[184.XXX.XX.223]: TLSv1 with cipher
      DHE-RSA-AES256-SHA (256/256 bits)
      Apr 2 01:03:55 fc14 postfix/smtpd[10284]: NOQUEUE: reject: RCPT from
      unknown[184.XXX.XX.223]: 553 5.7.1 <myuser@...>: Sender
      address rejected: not owned by user alex; from=<myuser@...>
      to=<remoteluser@...> proto=ESMTP
      helo=<184-XXX-XXX-223.pools.mycellphone.net>
      Apr 2 01:03:55 fc14 postfix/smtpd[10284]: disconnect from
      unknown[184.XXX.XX.223]

      I have created a controlled_envelope_senders that specifies the users
      that are permitted to send mail using the envelope sender:

      myuser@... alex

      But it still rejects it. Perhaps I'm not specifying it correctly? I'd
      like to make sure this is also doing what I expect it is doing, and
      that is requiring the use of TLS for sending all mail. Here is the
      output of postconf -n:

      alias_database = hash:/etc/postfix/aliases
      alias_maps = hash:/etc/postfix/aliases
      biff = no
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      debug_peer_level = 2
      debug_peer_list = 127.0.0.1
      delay_warning_time = 4h
      disable_vrfy_command = yes
      header_checks = pcre:/etc/postfix/header_checks.pcre
      mail_owner = postfix
      mailbox_command = /usr/bin/procmail
      mailbox_size_limit = 2000000000
      mailq_path = /usr/bin/mailq
      manpage_directory = /usr/share/man
      maximal_queue_lifetime = 5d
      message_size_limit = 10240000
      mydestination = $myhostname, localhost.$mydomain, myexample.com
      myhostname = fc14.myexample.com
      mynetworks = 127.0.0.0/8, 192.168.1.0/24, 192.168.6.0/24
      newaliases_path = /usr/bin/newaliases
      queue_directory = /var/spool/postfix
      readme_directory = /etc/postfix/README_FILES
      relay_domains = $mydestination, $transport_maps
      relayhost = 64.1.16.3
      sample_directory = /etc/postfix/samples
      sendmail_path = /usr/sbin/sendmail
      setgid_group = postdrop
      smtp_tls_CAfile = /etc/pki/tls/cacert.pem
      smtp_tls_loglevel = 2
      smtpd_recipient_restrictions = permit_sasl_authenticated,
      permit_mynetworks, reject_non_fqdn_sender,
      reject_non_fqdn_recipient, reject_unknown_sender_domain,
      check_client_access hash:/etc/postfix/client_access,
      reject_unauth_destination, reject_unauth_pipelining,
      reject_invalid_hostname
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_authenticated_header = yes
      smtpd_sasl_local_domain = $myhostname
      smtpd_sasl_path = private/auth
      smtpd_sasl_security_options = noanonymous, noplaintext
      smtpd_sasl_tls_security_options = noanonymous
      smtpd_sasl_type = dovecot
      smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
      smtpd_sender_restrictions = reject_sender_login_mismatch
      smtpd_tls_auth_only = yes
      smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
      smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
      smtpd_tls_loglevel = 2
      smtpd_tls_received_header = yes
      smtpd_tls_security_level = encrypt
      smtpd_tls_session_cache_database =
      btree:/var/lib/postfix/smtpd_tls_session_cache
      tls_random_source = dev:/dev/urandom
      transport_maps = hash:/etc/postfix/transport

      Are there any other options I should be concerned about with regards
      to security, and ensuring I don't become a relay or risk of
      unauthorized access?

      Any help greatly appreciated.
      Thanks,
      Alex
    • Show all 12 messages in this topic