Loading ...
Sorry, an error occurred while loading the content.

sasl on smtps: allowing plaintext

Expand Messages
  • Vincent Pelletier
    Hi. Following pointers and advice from pj and adaptr on freenode, I ve setup postfix on my box to send mail through the mail accounts I have (including the one
    Message 1 of 7 , Jul 16 2:06 PM
    • 0 Attachment
      Hi.

      Following pointers and advice from pj and adaptr on freenode, I've
      setup postfix on my box to send mail through the mail accounts I have
      (including the one I'm sending from now). The problem is, some of my
      account providers do not support TLS, so I have to use stunnel. Then,
      postfix logs
      warning: SASL authentication failure: No worthy mechs found
      thanks to
      smtp_sasl_security_options = noanonymous, noplaintext
      and queues the message for retry.

      How can I tell postfix that plaintext auth mechanisms should be allowed
      when sending to a specific ip (and maybe port) ?
      Of course, I would like to keep plaintext auth disallowed anywhere else.

      Regards,
      --
      Vincent Pelletier
    • Viktor Dukhovni
      ... Separate destinations with incompatible SASL requirements by transport (clone smtp/unix under additional names). Configure each transport s SASL settings
      Message 2 of 7 , Jul 16 3:03 PM
      • 0 Attachment
        On Tue, Jul 16, 2013 at 11:06:47PM +0200, Vincent Pelletier wrote:

        > Following pointers and advice from pj and adaptr on freenode, I've
        > setup postfix on my box to send mail through the mail accounts I have
        > (including the one I'm sending from now). The problem is, some of my
        > account providers do not support TLS, so I have to use stunnel. Then,
        > postfix logs
        > warning: SASL authentication failure: No worthy mechs found
        > thanks to
        > smtp_sasl_security_options = noanonymous, noplaintext
        > and queues the message for retry.
        >
        > How can I tell postfix that plaintext auth mechanisms should be allowed
        > when sending to a specific ip (and maybe port) ?
        > Of course, I would like to keep plaintext auth disallowed anywhere else.

        Separate destinations with incompatible SASL requirements by
        transport (clone smtp/unix under additional names). Configure
        each transport's SASL settings via:

        master.cf:
        mumble unix ... smtp
        -o smtp_sasl_security_options=$mumble_sasl_security_options

        main.cf:
        mumble_sasl_security_options = ...

        transport:
        example.com mumble:[mail.example.com]:587

        And similarly from sender_dependent_default_transport_maps, ...

        --
        Viktor.
      • /dev/rob0
        ... Sure, this works, but why is it a problem? Why not just enforce TLS where it is needed? http://www.postfix.org/TLS_README.html#client_tls_policy
        Message 3 of 7 , Jul 16 4:10 PM
        • 0 Attachment
          On Tue, Jul 16, 2013 at 10:03:57PM +0000, Viktor Dukhovni wrote:
          > On Tue, Jul 16, 2013 at 11:06:47PM +0200, Vincent Pelletier wrote:
          >
          > > Following pointers and advice from pj and adaptr on freenode,
          > > I've setup postfix on my box to send mail through the mail
          > > accounts I have (including the one I'm sending from now). The
          > > problem is, some of my account providers do not support TLS, so
          > > I have to use stunnel. Then, postfix logs
          > > warning: SASL authentication failure: No worthy mechs found
          > > thanks to
          > > smtp_sasl_security_options = noanonymous, noplaintext
          > > and queues the message for retry.
          > >
          > > How can I tell postfix that plaintext auth mechanisms should be
          > > allowed when sending to a specific ip (and maybe port) ?
          > > Of course, I would like to keep plaintext auth disallowed
          > > anywhere else.
          >
          > Separate destinations with incompatible SASL requirements by
          > transport (clone smtp/unix under additional names). Configure
          > each transport's SASL settings via:

          Sure, this works, but why is it a problem? Why not just enforce TLS
          where it is needed?

          http://www.postfix.org/TLS_README.html#client_tls_policy
          http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps

          A Postfix which is using a relayhost is not going to connect to
          random Internet sites, and it is definitely not going to attempt to
          AUTH at any site not configured in $smtp_sasl_password_maps.

          > master.cf:
          > mumble unix ... smtp
          > -o smtp_sasl_security_options=$mumble_sasl_security_options
          >
          > main.cf:
          > mumble_sasl_security_options = ...
          >
          > transport:
          > example.com mumble:[mail.example.com]:587
          >
          > And similarly from sender_dependent_default_transport_maps, ...
          --
          http://rob0.nodns4.us/ -- system administration and consulting
          Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
        • Vincent Pelletier
          ... Maybe I m being paranoid, but because not all my relays support TLS I cannot be stricter than smtp_tls_security_level = may without also having separate
          Message 4 of 7 , Jul 16 11:19 PM
          • 0 Attachment
            On Tue, 16 Jul 2013 18:10:27 -0500, /dev/rob0 <rob0@...> wrote:
            > Sure, this works, but why is it a problem? Why not just enforce TLS
            > where it is needed?
            >
            > http://www.postfix.org/TLS_README.html#client_tls_policy
            > http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
            >
            > A Postfix which is using a relayhost is not going to connect to
            > random Internet sites, and it is definitely not going to attempt to
            > AUTH at any site not configured in $smtp_sasl_password_maps.

            Maybe I'm being paranoid, but because not all my relays support TLS I
            cannot be stricter than
            smtp_tls_security_level = may
            without also having separate transports (if I understand correctly).
            So if I do not set noplaintext and someday one of the
            usually-TLS-enabled relays doesn't offer TLS (config hickup...),
            postfix will AUTH.

            --
            Vincent Pelletier
          • Viktor Dukhovni
            ... The suggestion is I believe to use smtp_tls_policy_maps to ensure that TLS is used for destinations where you will be using plaintext authentication. #
            Message 5 of 7 , Jul 17 6:37 AM
            • 0 Attachment
              On Wed, Jul 17, 2013 at 08:19:56AM +0200, Vincent Pelletier wrote:

              > Maybe I'm being paranoid, but because not all my relays support TLS I
              > cannot be stricter than
              > smtp_tls_security_level = may
              > without also having separate transports (if I understand correctly).
              > So if I do not set noplaintext and someday one of the
              > usually-TLS-enabled relays doesn't offer TLS (config hickup...),
              > postfix will AUTH.

              The suggestion is I believe to use smtp_tls_policy_maps to ensure
              that TLS is used for destinations where you will be using plaintext
              authentication.

              # MITM resistant authenticated TLS
              [smtp.example.com]:587 secure match=smtp.example.com

              # MITM vulnerable unauthenticated TLS
              [smtp.example.com]:587 encrypt

              # Some day when provider adopts DNSSEC and publishes a suitable TLSA
              # RRset and you've deployed Postfix 2.11
              #
              [smtp.example.com]:587 dane-only

              --
              Viktor.
            • Vincent Pelletier
              On Wed, 17 Jul 2013 13:37:53 +0000, Viktor Dukhovni ... Thanks, I think I understand now: main.cf (or a few -o in master.cf s submission service):
              Message 6 of 7 , Jul 17 11:10 AM
              • 0 Attachment
                On Wed, 17 Jul 2013 13:37:53 +0000, Viktor Dukhovni
                <postfix-users@...> wrote:
                > The suggestion is I believe to use smtp_tls_policy_maps to ensure
                > that TLS is used for destinations where you will be using plaintext
                > authentication.

                Thanks, I think I understand now:
                main.cf (or a few -o in master.cf's submission service):
                smtp_sasl_security_options = noanonymous
                smtp_tls_security_level = must
                smtp_tls_policy_maps = hash:blah

                blah:
                [127.0.0.1] none

                This is indeed closer to the mental picture I had of the solution
                (host-based lookup), but I didn't notice the need for a laxist
                smtp_sasl_security_options value.

                I've the idea to someday move my postfix setup to a server also sending
                & receiving mails for its own domain. Is it a bad idea (error-prone)
                to mix both of those use cases on a single postfix, generally speaking ?

                If I understand correctly, a setup with both roles would need your
                initial suggestion (which I setup successfully before noticing the
                second reply).

                Regards,
                --
                Vincent Pelletier
              • Viktor Dukhovni
                ... must is not a valid value for smtp_tls_security_level , see the documentation for details. ... Either a secure default and insecure exceptions, or the
                Message 7 of 7 , Jul 17 12:19 PM
                • 0 Attachment
                  On Wed, Jul 17, 2013 at 08:10:44PM +0200, Vincent Pelletier wrote:

                  > On Wed, 17 Jul 2013 13:37:53 +0000, Viktor Dukhovni
                  > <postfix-users@...> wrote:
                  > > The suggestion is I believe to use smtp_tls_policy_maps to ensure
                  > > that TLS is used for destinations where you will be using plaintext
                  > > authentication.
                  >
                  > Thanks, I think I understand now:
                  > main.cf (or a few -o in master.cf's submission service):
                  > smtp_sasl_security_options = noanonymous
                  > smtp_tls_security_level = must

                  "must" is not a valid value for "smtp_tls_security_level", see the
                  documentation for details.

                  > smtp_tls_policy_maps = hash:blah
                  >
                  > blah:
                  > [127.0.0.1] none

                  Either a secure default and insecure exceptions, or the converse.

                  --
                  Viktor.
                Your message has been successfully submitted and would be delivered to recipients shortly.