Loading ...
Sorry, an error occurred while loading the content.

275959Re: Configuring TLS with sender login maps

Expand Messages
  • Jeroen Geilman
    Apr 2, 2011
    • 0 Attachment
      On 04/02/2011 07:17 AM, Alex wrote:
      > Hi,
      > I have a fedora14 box that I'm trying to configure for use with
      > postfix with dovecot and TLS, permitting only TLS connections after
      > authenticating with sasl.

      What do you mean, *after* ?

      > It appears to mostly be working now, but
      > mail is rejected due to "not owned by user" errors.
      >
      >
      > Apr 2 01:03:54 fc14 postfix/smtpd[10284]: Anonymous TLS connection
      > established from unknown[184.XXX.XX.223]: TLSv1 with cipher
      > DHE-RSA-AES256-SHA (256/256 bits)
      >

      > Apr 2 01:03:55 fc14 postfix/smtpd[10284]: NOQUEUE: reject: RCPT from
      > unknown[184.XXX.XX.223]: 553 5.7.1<myuser@...>: Sender
      > address rejected: not owned by user alex; from=<myuser@...>
      > to=<remoteluser@...> proto=ESMTP
      > helo=<184-XXX-XXX-223.pools.mycellphone.net>
      >
      >

      You're not authenticated.

      > smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
      > smtpd_sender_restrictions = reject_sender_login_mismatch
      >

      This rejects mail from SASL'ed clients who are not in the map AND
      non-SASL'ed clients who ARE in the map.
      The above log line matches the latter condition, hence why it says that.

      > smtpd_tls_auth_only = yes
      >

      SASL is not offered before a secure connection is established.

      > smtpd_tls_security_level = encrypt
      >

      However, TLS is mandatory.

      > Are there any other options I should be concerned about with regards
      > to security, and ensuring I don't become a relay or risk of
      > unauthorized access?
      >

      Fix your client to properly use TLS AND THEN SASL.


      --
      J.
    • Show all 12 messages in this topic