292076Re: SMTP authentication
- Mar 19, 2013Il 19/03/2013 17:41, Viktor Dukhovni wrote:
> On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:I said Postfix accepts the MAIL FROM command before user authentication,
>> submission inet n - - - - smtpd
>> -o smtpd_tls_security_level=encrypt
>> -o smtpd_sasl_auth_enable=yes
>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>> -o milter_macro_daemon_name=ORIGINATING
> With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
> are allowed before STARTTLS. The other commands will be rejected,
> but of course we can't prevent the client from sending them.
not before STARTTLS.
>> With this configuration, messages can only be submitted through portOf course master.cf reflects run-time reality. Follows the real evidence
>> 587 after an encrypted connection has been established and user
>> authentication has succeded. So users need to authenticate
>> themselves in order to send emails. Nevertheless, Postfix accepts
>> the MAIL FROM command before authentication.
> Show real evidence of this, after making sure your master.cf file
> reflects run-time reality (postfix stop/start or at least reload).
which you can reproduce by yourself. If you remove all client
restrictions ( -o smtpd_client_restrictions=) from my configuration and
openssl s_client -connect host:587 -starttls smtp
250 2.1.0 Ok
250 2.1.5 Ok
354 End data with <CR><LF>.<CR><LF>
Hi, this is a test.
250 2.0.0 Ok: queued as ...
and the message is sent.
If you keep client restrictions ( -o
smtpd_client_restrictions=permit_sasl_authenticated,reject ) and issue
the same command as above, you get instead
250 2.1.0 Ok
554 5.7.1 <host[xxx.xxx.xxx.xxx]>: Client host rejected: Access denied
because user authentication is now required. I simply wondered why the
client is rejected after "rcpt to" and not just after "mail from". Maybe
there is no configuration which allows for rejecting an unauthenticated
client after the first command. I asked because you are certainly more
familiar than me with Postfix configuration options. Thank you anyway.
- << Previous post in topic Next post in topic >>