Loading ...
Sorry, an error occurred while loading the content.

Re: STARTTLS not announced?!

Expand Messages
  • Benny Pedersen
    ... starttls have nothing to do with auth or not auth users can still send plain passwords over unsecured smtpd client connections, starttls just secure there
    Message 1 of 20 , Jun 14, 2013
    • 0 Attachment
      Jan Kohnert skrev den 2013-06-15 03:58:

      > Well, no, it disables AUTH without tls/ssl but not STARTTLS, IIRC.

      starttls have nothing to do with auth or not

      auth users can still send plain passwords over unsecured smtpd client
      connections, starttls just secure there passwords, so tcpdumpers cant
      see it

      postfix still anounce auth on port 25 with sasl disabled in main.cf,
      here i have only sasl on submission / smtps

      bug ?

      --
      senders that put my email into body content will deliver it to my own
      trashcan, so if you like to get reply, dont do it
    • /dev/rob0
      ... smtp_tls_note_starttls_offer means to note (i.e., log) when a remote server offers STARTTLS. smtp_use_tls=yes is the same as (replaced by)
      Message 2 of 20 , Jun 14, 2013
      • 0 Attachment
        On Sat, Jun 15, 2013 at 03:45:02AM +0200, Benny Pedersen wrote:
        > Nabil Alsharif skrev den 2013-06-15 02:59:
        >
        > >>> smtp_tls_note_starttls_offer = yes
        > >>> smtp_use_tls = yes
        > >>
        > >>smtp_ is for sending
        > >Ok so these two options are telling Postfix to check if STARTTLS
        > >is offered by the peer and use TLS if available, right?
        >
        > correct

        smtp_tls_note_starttls_offer means to note (i.e., log) when a remote
        server offers STARTTLS. "smtp_use_tls=yes" is the same as (replaced
        by) "smtp_tls_security_level=may". All of these are covered in the
        TLS_README.html (except for the deprecated settings, of course.)

        And none of this is relevant to the $SUBJECT at hand.

        > >>> smtpd_banner = $myhostname ESMTP
        > >>> smtpd_recipient_restrictions = permit_mynetworks
        > >>>reject_unauth_destination
        > >>> smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem
        > >>> smtpd_tls_auth_only = yes
        > >>
        > >>this disable starttls since we already is using ssl/tls now

        Wrong, Benny. See postconf.5.html#smtpd_tls_auth_only and the
        correction posted by Jan, with which you tried to argue.

        > >huh? This part I don't quite understand. How are we
        > >disabling TLS?

        We're not. That was wrong.

        > >Where was it enabled before? when we said smtp_use_tls = yes?

        That deprecated setting is not relevant.

        > it does not disable tls/ssl, but it removes starttls in plain
        > connection without tls/ssl

        Also wrong.

        > smtpd vs smtp confusion ?
        >
        > with that setting all smtpd_ clients must use tls or ssl

        With smtpd_tls_security_level=encrypt, yes; not with
        smtpd_tls_auth_only=yes. Wrong and misleading posts will not help.

        I think the OP will have to fix the logging problem before we can
        solve this issue.
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      • Benny Pedersen
        ... it would be more relative simple to use more default settings, if OP is unsure what to do sorry if i write it such it could be missunderstandelble :( --
        Message 3 of 20 , Jun 14, 2013
        • 0 Attachment
          /dev/rob0 skrev den 2013-06-15 05:27:

          > I think the OP will have to fix the logging problem before we can
          > solve this issue.

          it would be more relative simple to use more default settings, if OP is
          unsure what to do

          sorry if i write it such it could be missunderstandelble :(

          --
          senders that put my email into body content will deliver it to my own
          trashcan, so if you like to get reply, dont do it
        • Jan Kohnert
          ... Come on, read the documentation: http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only -- MfG Jan
          Message 4 of 20 , Jun 15, 2013
          • 0 Attachment
            Am Samstag, 15. Juni 2013, 04:03:44 schrieb Benny Pedersen:
            > Jan Kohnert skrev den 2013-06-15 03:58:
            > > Well, no, it disables AUTH without tls/ssl but not STARTTLS, IIRC.
            >
            > starttls have nothing to do with auth or not

            Come on, read the documentation:

            http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only

            --
            MfG Jan
          • Benny Pedersen
            ... do i need to tell it in --verbose ? starttls have nothing to do with auth, just becurse this option have tls and auth in one line does not make tls/ssl
            Message 5 of 20 , Jun 15, 2013
            • 0 Attachment
              Jan Kohnert skrev den 2013-06-15 10:57:

              > http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only

              do i need to tell it in --verbose ?

              starttls have nothing to do with auth, just becurse this option have
              tls and auth in one line does not make tls/ssl needed to make auth work

              --
              senders that put my email into body content will deliver it to my own
              trashcan, so if you like to get reply, dont do it
            • Jeroen Geilman
              ... Quoted from the above documentation: smtpd_tls_auth_only (default: no) When TLS encryption is optional in the Postfix SMTP server, do not announce or
              Message 6 of 20 , Jun 15, 2013
              • 0 Attachment
                On 06/15/2013 12:13 PM, Benny Pedersen wrote:
                > Jan Kohnert skrev den 2013-06-15 10:57:
                >
                >> http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only
                >
                > do i need to tell it in --verbose ?
                >
                > starttls have nothing to do with auth, just becurse this option have
                > tls and auth in one line does not make tls/ssl needed to make auth work
                >

                Quoted from the above documentation:

                smtpd_tls_auth_only (default: no)
                "When TLS encryption is optional in the Postfix SMTP server, do
                not announce or accept SASL authentication over unencrypted connections. "

                In other words, yes, setting this option in conjunction with
                "smtpd_tls_security_level = may" *requires* TLS in order to AUTH.

                smtpd_tls_security_level = encrypt means the server will *reject* any
                commands that are not STARTTLS, until a TLS connection has been established.

                This includes AUTH.

                --
                J.
              • Benny Pedersen
                ... it does not say it disables auth anywhere, it just says it would not be possible to connect without starttls or not, starttls on its own have nothing to do
                Message 7 of 20 , Jun 15, 2013
                • 0 Attachment
                  Jeroen Geilman skrev den 2013-06-15 15:35:

                  > Quoted from the above documentation:
                  >
                  > smtpd_tls_auth_only (default: no)
                  > "When TLS encryption is optional in the Postfix SMTP server,
                  > do not announce or accept SASL authentication over unencrypted
                  > connections. "

                  it does not say it disables auth anywhere, it just says it would not be
                  possible to connect without starttls or not, starttls on its own have
                  nothing to do with auth or not

                  check your own logs how many clients use starttls without auth

                  just becurse it seldom seen in real life that no one will send auth
                  over an non tls/ssl does not mean it does not work

                  postfix have both auth and starttls, starttls is just for clients to
                  use ssl/tls on port 25, email clients will not use starttls in 2013,
                  since submission is the right thing anyway

                  > In other words, yes, setting this option in conjunction with
                  > "smtpd_tls_security_level = may" *requires* TLS in order to AUTH.
                  >
                  > smtpd_tls_security_level = encrypt means the server will *reject* any
                  > commands that are not STARTTLS, until a TLS connection has been
                  > established.
                  >
                  > This includes AUTH.

                  it still not needed to use ssl/tls to make auth work

                  --
                  senders that put my email into body content will deliver it to my own
                  trashcan, so if you like to get reply, dont do it
                • Wietse Venema
                  ... The server does not announce or accept AUTH, therefore AUTH it is disabled. Wietse
                  Message 8 of 20 , Jun 15, 2013
                  • 0 Attachment
                    Benny Pedersen:
                    > Jeroen Geilman skrev den 2013-06-15 15:35:
                    >
                    > > Quoted from the above documentation:
                    > >
                    > > smtpd_tls_auth_only (default: no)
                    > > "When TLS encryption is optional in the Postfix SMTP server,
                    > > do not announce or accept SASL authentication over unencrypted
                    > > connections. "
                    >
                    > it does not say it disables auth anywhere,

                    The server does not announce or accept AUTH, therefore AUTH it is disabled.

                    Wietse
                  • Benny Pedersen
                    ... auth does not need starttls, if auth is not anounced then auth is disabled -- senders that put my email into body content will deliver it to my own
                    Message 9 of 20 , Jun 15, 2013
                    • 0 Attachment
                      wietse@... skrev den 2013-06-15 16:13:

                      > The server does not announce or accept AUTH, therefore AUTH it is
                      > disabled.

                      auth does not need starttls, if auth is not anounced then auth is
                      disabled

                      --
                      senders that put my email into body content will deliver it to my own
                      trashcan, so if you like to get reply, dont do it
                    • Wietse Venema
                      ... AUTH requires STARTTLS with smtpd_tls_auth_only=yes. In view of your contributions in recent threads, you are one step away from removal from this mailing
                      Message 10 of 20 , Jun 15, 2013
                      • 0 Attachment
                        > smtpd_tls_auth_only (default: no)
                        > "When TLS encryption is optional in the Postfix SMTP server,
                        > do not announce or accept SASL authentication over unencrypted
                        > connections. "

                        Benny Pedersen:
                        > auth does not need starttls, if auth is not anounced then auth is
                        > disabled

                        AUTH requires STARTTLS with smtpd_tls_auth_only=yes.

                        In view of your contributions in recent threads, you are one
                        step away from removal from this mailing list.

                        Wietse
                      • Peter
                        I do realize that this thread probably shouldn t be continued, however I see some gross miss-statements here that need correcting so that someone browsing the
                        Message 11 of 20 , Jun 16, 2013
                        • 0 Attachment
                          I do realize that this thread probably shouldn't be continued, however I
                          see some gross miss-statements here that need correcting so that someone
                          browsing the thread won't be mislead by them at a later time...

                          On 06/16/2013 01:58 AM, Benny Pedersen wrote:
                          >> smtpd_tls_auth_only (default: no)
                          >> "When TLS encryption is optional in the Postfix SMTP server,
                          >> do not announce or accept SASL authentication over unencrypted
                          >> connections. "
                          >
                          > it does not say it disables auth anywhere, it just says it would not be
                          > possible to connect without starttls or not,

                          No it disabled auth until STARTTLS is established. It has nothing to do
                          with the connection.

                          > just becurse it seldom seen in real life that no one will send auth over
                          > an non tls/ssl does not mean it does not work

                          It does not work if smtpd_tls_auth_only is set to yes.

                          > starttls is just for clients to use ssl/tls on port 25,

                          Actually clients shouldn't use port 25, and neither should you be using
                          auth on port 25. Clients will use STARTTLS on port 587, however, and
                          both postfix and MUAs can be configured to use STARTTLS on any port you
                          wish (via master.cf).

                          > email clients will not use starttls in 2013,

                          Seriously? So how is an MUA intended to establish an encrypted
                          connection to an MSA, then?

                          > since submission is the right thing anyway

                          Submission is a port (587) which uses the (e)smtp protocol to submit
                          messages from an MUA (email client) to an MSA (email submission server)
                          and can use STARTTLS for encryption. There is no other way to do
                          encryption on the submission port.

                          > it still not needed to use ssl/tls to make auth work

                          It is if you set smtpd_tls_auth_only=yes.


                          Peter
                        Your message has been successfully submitted and would be delivered to recipients shortly.