Loading ...
Sorry, an error occurred while loading the content.

292076Re: SMTP authentication

Expand Messages
  • Matteo Marescotti
    Mar 19, 2013
      Il 19/03/2013 17:41, Viktor Dukhovni wrote:
      > On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:
      >> submission inet n - - - - smtpd
      >> -o smtpd_tls_security_level=encrypt
      >> -o smtpd_sasl_auth_enable=yes
      >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      >> -o milter_macro_daemon_name=ORIGINATING
      >> ...
      > With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
      > are allowed before STARTTLS. The other commands will be rejected,
      > but of course we can't prevent the client from sending them.
      I said Postfix accepts the MAIL FROM command before user authentication,
      not before STARTTLS.
      >> With this configuration, messages can only be submitted through port
      >> 587 after an encrypted connection has been established and user
      >> authentication has succeded. So users need to authenticate
      >> themselves in order to send emails. Nevertheless, Postfix accepts
      >> the MAIL FROM command before authentication.
      > Show real evidence of this, after making sure your master.cf file
      > reflects run-time reality (postfix stop/start or at least reload).
      Of course master.cf reflects run-time reality. Follows the real evidence
      which you can reproduce by yourself. If you remove all client
      restrictions ( -o smtpd_client_restrictions=) from my configuration and

      openssl s_client -connect host:587 -starttls smtp

      you get

      250 DSN
      mail from:<marescot@...>
      250 2.1.0 Ok
      rcpt to:<marescot@...>
      250 2.1.5 Ok
      354 End data with <CR><LF>.<CR><LF>
      Hi, this is a test.
      250 2.0.0 Ok: queued as ...

      and the message is sent.

      If you keep client restrictions ( -o
      smtpd_client_restrictions=permit_sasl_authenticated,reject ) and issue
      the same command as above, you get instead

      250 DSN
      mail from:<marescot@...>
      250 2.1.0 Ok
      rcpt to:<marescot@...>
      554 5.7.1 <host[xxx.xxx.xxx.xxx]>: Client host rejected: Access denied

      because user authentication is now required. I simply wondered why the
      client is rejected after "rcpt to" and not just after "mail from". Maybe
      there is no configuration which allows for rejecting an unauthenticated
      client after the first command. I asked because you are certainly more
      familiar than me with Postfix configuration options. Thank you anyway.

    • Show all 14 messages in this topic