Loading ...
Sorry, an error occurred while loading the content.

Re: STARTTLS not announced?!

Expand Messages
  • Benny Pedersen
    ... it would be more relative simple to use more default settings, if OP is unsure what to do sorry if i write it such it could be missunderstandelble :( --
    Message 1 of 20 , Jun 14, 2013
    • 0 Attachment
      /dev/rob0 skrev den 2013-06-15 05:27:

      > I think the OP will have to fix the logging problem before we can
      > solve this issue.

      it would be more relative simple to use more default settings, if OP is
      unsure what to do

      sorry if i write it such it could be missunderstandelble :(

      --
      senders that put my email into body content will deliver it to my own
      trashcan, so if you like to get reply, dont do it
    • Jan Kohnert
      ... Come on, read the documentation: http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only -- MfG Jan
      Message 2 of 20 , Jun 15, 2013
      • 0 Attachment
        Am Samstag, 15. Juni 2013, 04:03:44 schrieb Benny Pedersen:
        > Jan Kohnert skrev den 2013-06-15 03:58:
        > > Well, no, it disables AUTH without tls/ssl but not STARTTLS, IIRC.
        >
        > starttls have nothing to do with auth or not

        Come on, read the documentation:

        http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only

        --
        MfG Jan
      • Benny Pedersen
        ... do i need to tell it in --verbose ? starttls have nothing to do with auth, just becurse this option have tls and auth in one line does not make tls/ssl
        Message 3 of 20 , Jun 15, 2013
        • 0 Attachment
          Jan Kohnert skrev den 2013-06-15 10:57:

          > http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only

          do i need to tell it in --verbose ?

          starttls have nothing to do with auth, just becurse this option have
          tls and auth in one line does not make tls/ssl needed to make auth work

          --
          senders that put my email into body content will deliver it to my own
          trashcan, so if you like to get reply, dont do it
        • Jeroen Geilman
          ... Quoted from the above documentation: smtpd_tls_auth_only (default: no) When TLS encryption is optional in the Postfix SMTP server, do not announce or
          Message 4 of 20 , Jun 15, 2013
          • 0 Attachment
            On 06/15/2013 12:13 PM, Benny Pedersen wrote:
            > Jan Kohnert skrev den 2013-06-15 10:57:
            >
            >> http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only
            >
            > do i need to tell it in --verbose ?
            >
            > starttls have nothing to do with auth, just becurse this option have
            > tls and auth in one line does not make tls/ssl needed to make auth work
            >

            Quoted from the above documentation:

            smtpd_tls_auth_only (default: no)
            "When TLS encryption is optional in the Postfix SMTP server, do
            not announce or accept SASL authentication over unencrypted connections. "

            In other words, yes, setting this option in conjunction with
            "smtpd_tls_security_level = may" *requires* TLS in order to AUTH.

            smtpd_tls_security_level = encrypt means the server will *reject* any
            commands that are not STARTTLS, until a TLS connection has been established.

            This includes AUTH.

            --
            J.
          • Benny Pedersen
            ... it does not say it disables auth anywhere, it just says it would not be possible to connect without starttls or not, starttls on its own have nothing to do
            Message 5 of 20 , Jun 15, 2013
            • 0 Attachment
              Jeroen Geilman skrev den 2013-06-15 15:35:

              > Quoted from the above documentation:
              >
              > smtpd_tls_auth_only (default: no)
              > "When TLS encryption is optional in the Postfix SMTP server,
              > do not announce or accept SASL authentication over unencrypted
              > connections. "

              it does not say it disables auth anywhere, it just says it would not be
              possible to connect without starttls or not, starttls on its own have
              nothing to do with auth or not

              check your own logs how many clients use starttls without auth

              just becurse it seldom seen in real life that no one will send auth
              over an non tls/ssl does not mean it does not work

              postfix have both auth and starttls, starttls is just for clients to
              use ssl/tls on port 25, email clients will not use starttls in 2013,
              since submission is the right thing anyway

              > In other words, yes, setting this option in conjunction with
              > "smtpd_tls_security_level = may" *requires* TLS in order to AUTH.
              >
              > smtpd_tls_security_level = encrypt means the server will *reject* any
              > commands that are not STARTTLS, until a TLS connection has been
              > established.
              >
              > This includes AUTH.

              it still not needed to use ssl/tls to make auth work

              --
              senders that put my email into body content will deliver it to my own
              trashcan, so if you like to get reply, dont do it
            • Wietse Venema
              ... The server does not announce or accept AUTH, therefore AUTH it is disabled. Wietse
              Message 6 of 20 , Jun 15, 2013
              • 0 Attachment
                Benny Pedersen:
                > Jeroen Geilman skrev den 2013-06-15 15:35:
                >
                > > Quoted from the above documentation:
                > >
                > > smtpd_tls_auth_only (default: no)
                > > "When TLS encryption is optional in the Postfix SMTP server,
                > > do not announce or accept SASL authentication over unencrypted
                > > connections. "
                >
                > it does not say it disables auth anywhere,

                The server does not announce or accept AUTH, therefore AUTH it is disabled.

                Wietse
              • Benny Pedersen
                ... auth does not need starttls, if auth is not anounced then auth is disabled -- senders that put my email into body content will deliver it to my own
                Message 7 of 20 , Jun 15, 2013
                • 0 Attachment
                  wietse@... skrev den 2013-06-15 16:13:

                  > The server does not announce or accept AUTH, therefore AUTH it is
                  > disabled.

                  auth does not need starttls, if auth is not anounced then auth is
                  disabled

                  --
                  senders that put my email into body content will deliver it to my own
                  trashcan, so if you like to get reply, dont do it
                • Wietse Venema
                  ... AUTH requires STARTTLS with smtpd_tls_auth_only=yes. In view of your contributions in recent threads, you are one step away from removal from this mailing
                  Message 8 of 20 , Jun 15, 2013
                  • 0 Attachment
                    > smtpd_tls_auth_only (default: no)
                    > "When TLS encryption is optional in the Postfix SMTP server,
                    > do not announce or accept SASL authentication over unencrypted
                    > connections. "

                    Benny Pedersen:
                    > auth does not need starttls, if auth is not anounced then auth is
                    > disabled

                    AUTH requires STARTTLS with smtpd_tls_auth_only=yes.

                    In view of your contributions in recent threads, you are one
                    step away from removal from this mailing list.

                    Wietse
                  • Peter
                    I do realize that this thread probably shouldn t be continued, however I see some gross miss-statements here that need correcting so that someone browsing the
                    Message 9 of 20 , Jun 16, 2013
                    • 0 Attachment
                      I do realize that this thread probably shouldn't be continued, however I
                      see some gross miss-statements here that need correcting so that someone
                      browsing the thread won't be mislead by them at a later time...

                      On 06/16/2013 01:58 AM, Benny Pedersen wrote:
                      >> smtpd_tls_auth_only (default: no)
                      >> "When TLS encryption is optional in the Postfix SMTP server,
                      >> do not announce or accept SASL authentication over unencrypted
                      >> connections. "
                      >
                      > it does not say it disables auth anywhere, it just says it would not be
                      > possible to connect without starttls or not,

                      No it disabled auth until STARTTLS is established. It has nothing to do
                      with the connection.

                      > just becurse it seldom seen in real life that no one will send auth over
                      > an non tls/ssl does not mean it does not work

                      It does not work if smtpd_tls_auth_only is set to yes.

                      > starttls is just for clients to use ssl/tls on port 25,

                      Actually clients shouldn't use port 25, and neither should you be using
                      auth on port 25. Clients will use STARTTLS on port 587, however, and
                      both postfix and MUAs can be configured to use STARTTLS on any port you
                      wish (via master.cf).

                      > email clients will not use starttls in 2013,

                      Seriously? So how is an MUA intended to establish an encrypted
                      connection to an MSA, then?

                      > since submission is the right thing anyway

                      Submission is a port (587) which uses the (e)smtp protocol to submit
                      messages from an MUA (email client) to an MSA (email submission server)
                      and can use STARTTLS for encryption. There is no other way to do
                      encryption on the submission port.

                      > it still not needed to use ssl/tls to make auth work

                      It is if you set smtpd_tls_auth_only=yes.


                      Peter
                    Your message has been successfully submitted and would be delivered to recipients shortly.