Loading ...
Sorry, an error occurred while loading the content.

Questions with Postfix TLS, SASL over LDAP

Expand Messages
  • Zhou, Yan
    Hi there, I have two Postfix instances, I wish to set up 1. one with SSL so that clients can connect and send messages to it, WITHOUT authentication but the
    Message 1 of 2 , Nov 2, 2010
    • 0 Attachment
      Hi there,

      I have two Postfix instances, I wish to set up
      1. one with SSL so that clients can connect and send messages to it,
      WITHOUT authentication but the session is secure, this requires Postfix
      with TLS support.
      2. the other with SASL2 support so that clients will need
      authentication, but the user database is set up on LDAP.
      3. I also wish to use DoveCot to get messages from the 2nd Postfix,
      DoveCot require SMTP authentication, too.

      Questions:
      1. can one Postfix server with multiple IPs serving both needs? I know
      Postfix can route messages differently based on IP, but not sure whether
      it can support different authentication mechanism on one instance.
      2. How do I know my pre-installed Postfix 2.3.3 already has TLS support
      built-in or not? I read that this may require a recompilation with TLS
      flag enabled.
      3. How do I know pre-installed DoveCot already has LDAP support
      built-in, or does it require a recompilation?

      Thanks,
      Yan










      Confidentiality Notice: The information contained in this electronic transmission is confidential and may be legally privileged. It is intended only for the addressee(s) named above. If you are not an intended recipient, be aware that any disclosure, copying, distribution or use of the information contained in this transmission is prohibited and may be unlawful. If you have received this transmission in error, please notify us by telephone (513) 229-5500 or by email (postmaster@...). After replying, please erase it from your computer system.
    • Victor Duchovni
      ... These requirements are not incompatible. A *single* Postfix instance can: - Support STARTTLS, and even attempt to enforce it for some clients via access
      Message 2 of 2 , Nov 2, 2010
      • 0 Attachment
        On Tue, Nov 02, 2010 at 10:27:07AM -0400, Zhou, Yan wrote:

        > I have two Postfix instances, I wish to set up
        > 1. one with SSL so that clients can connect and send messages to it,
        > WITHOUT authentication but the session is secure, this requires Postfix
        > with TLS support.
        > 2. the other with SASL2 support so that clients will need
        > authentication, but the user database is set up on LDAP.

        These requirements are not incompatible. A *single* Postfix instance
        can:

        - Support STARTTLS, and even attempt to enforce it for some
        clients via access tables that trigger "reject_plaintext_session".

        - Support SASL auth, and require it for sending outbound email or
        in general. For submission, the recommended approach is to have
        submission clients use a port 587 service that enforces both
        TLS and SASL auth.

        > 3. I also wish to use DoveCot to get messages from the 2nd Postfix,
        > DoveCot require SMTP authentication, too.

        Dovecot requires SASL (not SMTP) authentication, and in fact
        can act as a SASL back-end for the Postfix SMTP server. See

        http://www.postfix.org/SASL_README.html

        >
        > Questions:
        > 1. can one Postfix server with multiple IPs serving both needs? I know
        > Postfix can route messages differently based on IP, but not sure whether
        > it can support different authentication mechanism on one instance.

        - You don't need multiple IPs. Just a suitable access policy

        - TLS is not an authentication mechanism, unless you are one of the
        few and the brave using client certs (don't on a port 25 service,
        but some submission port 587 servers request/require client certs).

        > 2. How do I know my pre-installed Postfix 2.3.3 already has TLS support
        > built-in or not? I read that this may require a recompilation with TLS
        > flag enabled.

        Try:

        postconf smtpd_tls_cert_file

        if an error is returned, you need to recompile. Postfix 2.3 is very
        old an no longer supported/updated, you really should be using 2.4
        or later, ideally 2.7.1 if you plan to upgrade.

        > 3. How do I know pre-installed DoveCot already has LDAP support
        > built-in, or does it require a recompilation?

        This is the Postfix list.

        --
        Viktor.
      Your message has been successfully submitted and would be delivered to recipients shortly.