Loading ...
Sorry, an error occurred while loading the content.

Re: Questions with Postfix TLS, SASL over LDAP

Expand Messages
  • Victor Duchovni
    ... These requirements are not incompatible. A *single* Postfix instance can: - Support STARTTLS, and even attempt to enforce it for some clients via access
    Message 1 of 2 , Nov 2, 2010
    • 0 Attachment
      On Tue, Nov 02, 2010 at 10:27:07AM -0400, Zhou, Yan wrote:

      > I have two Postfix instances, I wish to set up
      > 1. one with SSL so that clients can connect and send messages to it,
      > WITHOUT authentication but the session is secure, this requires Postfix
      > with TLS support.
      > 2. the other with SASL2 support so that clients will need
      > authentication, but the user database is set up on LDAP.

      These requirements are not incompatible. A *single* Postfix instance
      can:

      - Support STARTTLS, and even attempt to enforce it for some
      clients via access tables that trigger "reject_plaintext_session".

      - Support SASL auth, and require it for sending outbound email or
      in general. For submission, the recommended approach is to have
      submission clients use a port 587 service that enforces both
      TLS and SASL auth.

      > 3. I also wish to use DoveCot to get messages from the 2nd Postfix,
      > DoveCot require SMTP authentication, too.

      Dovecot requires SASL (not SMTP) authentication, and in fact
      can act as a SASL back-end for the Postfix SMTP server. See

      http://www.postfix.org/SASL_README.html

      >
      > Questions:
      > 1. can one Postfix server with multiple IPs serving both needs? I know
      > Postfix can route messages differently based on IP, but not sure whether
      > it can support different authentication mechanism on one instance.

      - You don't need multiple IPs. Just a suitable access policy

      - TLS is not an authentication mechanism, unless you are one of the
      few and the brave using client certs (don't on a port 25 service,
      but some submission port 587 servers request/require client certs).

      > 2. How do I know my pre-installed Postfix 2.3.3 already has TLS support
      > built-in or not? I read that this may require a recompilation with TLS
      > flag enabled.

      Try:

      postconf smtpd_tls_cert_file

      if an error is returned, you need to recompile. Postfix 2.3 is very
      old an no longer supported/updated, you really should be using 2.4
      or later, ideally 2.7.1 if you plan to upgrade.

      > 3. How do I know pre-installed DoveCot already has LDAP support
      > built-in, or does it require a recompilation?

      This is the Postfix list.

      --
      Viktor.
    Your message has been successfully submitted and would be delivered to recipients shortly.