Loading ...
Sorry, an error occurred while loading the content.

275959Re: Configuring TLS with sender login maps

Expand Messages
  • Jeroen Geilman
    Apr 2 2:59 AM
      On 04/02/2011 07:17 AM, Alex wrote:
      > Hi,
      > I have a fedora14 box that I'm trying to configure for use with
      > postfix with dovecot and TLS, permitting only TLS connections after
      > authenticating with sasl.

      What do you mean, *after* ?

      > It appears to mostly be working now, but
      > mail is rejected due to "not owned by user" errors.
      > Apr 2 01:03:54 fc14 postfix/smtpd[10284]: Anonymous TLS connection
      > established from unknown[184.XXX.XX.223]: TLSv1 with cipher
      > DHE-RSA-AES256-SHA (256/256 bits)

      > Apr 2 01:03:55 fc14 postfix/smtpd[10284]: NOQUEUE: reject: RCPT from
      > unknown[184.XXX.XX.223]: 553 5.7.1<myuser@...>: Sender
      > address rejected: not owned by user alex; from=<myuser@...>
      > to=<remoteluser@...> proto=ESMTP
      > helo=<184-XXX-XXX-223.pools.mycellphone.net>

      You're not authenticated.

      > smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
      > smtpd_sender_restrictions = reject_sender_login_mismatch

      This rejects mail from SASL'ed clients who are not in the map AND
      non-SASL'ed clients who ARE in the map.
      The above log line matches the latter condition, hence why it says that.

      > smtpd_tls_auth_only = yes

      SASL is not offered before a secure connection is established.

      > smtpd_tls_security_level = encrypt

      However, TLS is mandatory.

      > Are there any other options I should be concerned about with regards
      > to security, and ensuring I don't become a relay or risk of
      > unauthorized access?

      Fix your client to properly use TLS AND THEN SASL.

    • Show all 12 messages in this topic