Loading ...
Sorry, an error occurred while loading the content.

293938Re: question about auth, smtpd and roundcube

Expand Messages
  • /dev/rob0
    Jun 20, 2013
      On Thu, Jun 20, 2013 at 10:51:28AM +0200, Felix Rubio Dalmau wrote:
      > I have set up a postfix+dovecot+roundcube installation. Currently,
      > I have set up these smtpd parameters:
      >
      > smtpd_tls_security_level = may
      > smtpd_tls_auth_only = yes
      > smtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/discard_ehlo
      >
      > inside discard_helo, I have set "127.0.0.1 starttls,silent-discard"
      > to allow roundcube connecting without TLS.
      >
      > With this setup, roundcoube can't connect because it is not on a
      > TLS connection. If I set up roundcube to use TLS and comment
      > smtpd_discard_ehlo_keyword_address_maps, everything goes fine.
      >
      > The question is: how can I allow smtpd_tls_auth_only only on
      > non-local connections?

      Like Ben, I think you are solving a non-problem here. While TLS on
      localhost provides no benefit, how much is the gain from turning it
      off? On the Dovecot side it's simpler because Dovecot considers
      loopback secure (and it probably offers more actual benefit because
      IMAP connections are persistent.)

      Anyway, if you do choose to pursue this, there are many options. I
      think the easiest would be to make a separate smtpd instance with
      overrides as needed:

      [ master.cf ]
      ...
      127.0.0.1:10587 inet n - n - smtpd
      -o smtpd_tls_security_level=none
      -o smtpd_tls_auth_only=no
      -o syslog_name=postfix/roundcube
      [ with other overrides from your submission service ]

      Then configure Roundcube to connect to 127.0.0.1:10587 for sending.
      --
      http://rob0.nodns4.us/ -- system administration and consulting
      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
    • Show all 5 messages in this topic