Loading ...
Sorry, an error occurred while loading the content.

298539Re: Problems with sasl auth, and tls (secured flag)

Expand Messages
  • Nathan Coulson
    Mar 6, 2014
      On 14-03-06 11:25 AM, Wietse Venema wrote:
      > Nathan Coulson:
      >> In testing, we were seeing the following results:
      >>
      >> smtpd_tls_security_level=may
      >> AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011resp=
      >>
      >> smtpd_tls_security_level=encrypt
      >> AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011secured#011resp=
      >>
      >> The secured flag is only set when the level is set to encrypt. I would
      >> expect it to be set for any client that connects via TLS.
      > No, the secured flag is set when the client requests STARTTLS.
      >
      > Wietse
      >
      > /*
      > * Set up a new server context for this connection.
      > */
      > #ifdef USE_TLS
      > tls_flag = state->tls_context != 0;
      > #else
      > tls_flag = 0;
      > #endif
      > ...
      > if ((state->sasl_server =
      > XSASL_SERVER_CREATE(smtpd_sasl_impl, &create_args,
      > stream = state->client,
      > server_addr = (state->dest_addr ?
      > state->dest_addr : ""),
      > client_addr = ADDR_OR_EMPTY(state->addr,
      > CLIENT_ADDR_UNKNOWN),
      > service = var_smtpd_sasl_service,
      > user_realm = REALM_OR_NULL(var_smtpd_sasl_realm),
      > security_options = sasl_opts_val,
      > tls_flag = tls_flag)) == 0)
      > msg_fatal("SASL per-connection initialization failed");

      The client (Using Thunderbird) is configured to use port 587, with
      STARTTLS. I did some more digging to confirm this, and from the logs it
      looks like it is requesting and using starttls.


      Mar 6 11:58:52 postfix postfix/smtpd[20189]:
      xsasl_dovecot_server_connect: auth reply: VERSION?1?1
      Mar 6 11:58:52 postfix postfix/smtpd[20189]:
      xsasl_dovecot_server_connect: auth reply: MECH?PLAIN?plaintext
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: name_mask: plaintext
      Mar 6 11:58:52 postfix postfix/smtpd[20189]:
      xsasl_dovecot_server_connect: auth reply: MECH?LOGIN?plaintext
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: name_mask: plaintext
      Mar 6 11:58:52 postfix postfix/smtpd[20189]:
      xsasl_dovecot_server_connect: auth reply: SPID?20191
      Mar 6 11:58:52 postfix postfix/smtpd[20189]:
      xsasl_dovecot_server_connect: auth reply: CUID?1
      Mar 6 11:58:52 postfix postfix/smtpd[20189]:
      xsasl_dovecot_server_connect: auth reply:
      COOKIE?c3217471bba339e1ac8623fa290932fc
      Mar 6 11:58:52 postfix postfix/smtpd[20189]:
      xsasl_dovecot_server_connect: auth reply: DONE
      Mar 6 11:58:52 postfix postfix/smtpd[20189]:
      xsasl_dovecot_server_mech_filter: keep mechanism: PLAIN
      Mar 6 11:58:52 postfix postfix/smtpd[20189]:
      xsasl_dovecot_server_mech_filter: keep mechanism: LOGIN
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: watchdog_pat: 0x7f6dce013730
      Mar 6 11:58:52 postfix dovecot: auth: Debug: auth client connected (pid=0)
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: < [IP1]: EHLO [IP2]
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-[HOSTNAME HERE]
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-PIPELINING
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-SIZE 204800000
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-VRFY
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-ETRN
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-STARTTLS
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-AUTH PLAIN LOGIN
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: match_list_match: IP1: no
      match
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-AUTH=PLAIN LOGIN
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]:
      250-ENHANCEDSTATUSCODES
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-8BITMIME
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250 DSN
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: watchdog_pat: 0x7f6dce013730
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: < [IP1]: STARTTLS
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 220 2.0.0 Ready
      to start TLS
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: send attr request = seed
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: send attr size = 32
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: private/tlsmgr: wanted
      attribute: status
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: input attribute name: status
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: input attribute value: 0
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: private/tlsmgr: wanted
      attribute: seed
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: input attribute name: seed
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: input attribute value:
      QsmI4b31iwCHbOZQ+JsrBXMJRqFizERI0hWa6lZP5wo=
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: private/tlsmgr: wanted
      attribute: (list terminator)
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: input attribute name: (end)
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: watchdog_pat: 0x7f6dce013730
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: < [IP1]: EHLO [IP2]
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-[HOSTNAME HERE]
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-PIPELINING
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-SIZE 204800000
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-VRFY
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-ETRN
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-AUTH PLAIN LOGIN
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: match_list_match: IP1: no
      match
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-AUTH=PLAIN LOGIN
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]:
      250-ENHANCEDSTATUSCODES
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-8BITMIME
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250 DSN
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: watchdog_pat: 0x7f6dce013730
      Mar 6 11:58:52 postfix postfix/smtpd[20189]: < [IP1]: AUTH PLAIN
      AHRlc3QxQG5jb3Vsc29uLmNvbQB0ZXN0
      Mar 6 11:58:52 postfix postfix/smtpd[20189]:
      xsasl_dovecot_server_first: sasl_method PLAIN, init_response
      AHRlc3QxQG5jb3Vsc29uLmNvbQB0ZXN0
      Mar 6 11:58:52 postfix dovecot: auth: Debug: client in:
      AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=IP3#011rip=IP1#011resp=<hidden>
    • Show all 5 messages in this topic