Loading ...
Sorry, an error occurred while loading the content.

275965Re: Configuring TLS with sender login maps

Expand Messages
  • Alex
    Apr 2, 2011
    • 0 Attachment

      >>> Apr  2 01:03:55 fc14 postfix/smtpd[10284]: NOQUEUE: reject: RCPT from
      >>> unknown[184.XXX.XX.223]: 553 5.7.1<myuser@...>: Sender
      >>> address rejected: not owned by user alex; from=<myuser@...>
      >>> to=<remoteluser@...>  proto=ESMTP
      >>> helo=<184-XXX-XXX-223.pools.mycellphone.net>
      >> You're not authenticated.

      Okay, I think I have it working correctly now. I believe my mistake
      was with using the incorrect ports for authentication. I think I may
      not fully understand the logic behind the whole process still,

      I've changed smtpd_tls_security_level to 'may' from 'encrypt' in
      main.cf because it also needs to be able to accept mail from non-TLS
      authenticated clients (which are actually other postfix servers) in
      addition to my K9 android mail client.

      Unlike my cell phone, these other mail server have fixed IP addresses.
      I believe there is a way to specify a list of servers that explicitly
      do not require TLS, is that correct?

      In master.cf, I have the following:

      submission inet n - n - - smtpd
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING

      If I understand this correctly, the connection is first established
      over TLS through port 25, then this section enables SASL over that TLS
      connection, and only if there is a TLS connection, correct?

      I am using the default dovecot certificates. I have been unable to
      locate the applications to create a new cert on my fedora14 box. What
      am I missing that the lines below state a client certificate was not
      requested? Is that an issue with my mail client on my phone, or the
      dovecot configuration?

      Received: from XXX-YYY-86-66.pools.spcsdns.net
      (XXX-YYY-86-66.pools.spcsdns.net [XXX.YYY.86.66])
      (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
      (No client certificate requested)
      (Authenticated sender: alex)
      by myhost.myexample.com (Postfix) with ESMTPSA id B2CD3143A23
      for <myuser@...>; Sat, 2 Apr 2011 15:33:46 -0400 (EDT)

    • Show all 12 messages in this topic