Loading ...
Sorry, an error occurred while loading the content.

Re: sasl on smtps: allowing plaintext

Expand Messages
  • Viktor Dukhovni
    ... Separate destinations with incompatible SASL requirements by transport (clone smtp/unix under additional names). Configure each transport s SASL settings
    Message 1 of 7 , Jul 16, 2013
    • 0 Attachment
      On Tue, Jul 16, 2013 at 11:06:47PM +0200, Vincent Pelletier wrote:

      > Following pointers and advice from pj and adaptr on freenode, I've
      > setup postfix on my box to send mail through the mail accounts I have
      > (including the one I'm sending from now). The problem is, some of my
      > account providers do not support TLS, so I have to use stunnel. Then,
      > postfix logs
      > warning: SASL authentication failure: No worthy mechs found
      > thanks to
      > smtp_sasl_security_options = noanonymous, noplaintext
      > and queues the message for retry.
      >
      > How can I tell postfix that plaintext auth mechanisms should be allowed
      > when sending to a specific ip (and maybe port) ?
      > Of course, I would like to keep plaintext auth disallowed anywhere else.

      Separate destinations with incompatible SASL requirements by
      transport (clone smtp/unix under additional names). Configure
      each transport's SASL settings via:

      master.cf:
      mumble unix ... smtp
      -o smtp_sasl_security_options=$mumble_sasl_security_options

      main.cf:
      mumble_sasl_security_options = ...

      transport:
      example.com mumble:[mail.example.com]:587

      And similarly from sender_dependent_default_transport_maps, ...

      --
      Viktor.
    • /dev/rob0
      ... Sure, this works, but why is it a problem? Why not just enforce TLS where it is needed? http://www.postfix.org/TLS_README.html#client_tls_policy
      Message 2 of 7 , Jul 16, 2013
      • 0 Attachment
        On Tue, Jul 16, 2013 at 10:03:57PM +0000, Viktor Dukhovni wrote:
        > On Tue, Jul 16, 2013 at 11:06:47PM +0200, Vincent Pelletier wrote:
        >
        > > Following pointers and advice from pj and adaptr on freenode,
        > > I've setup postfix on my box to send mail through the mail
        > > accounts I have (including the one I'm sending from now). The
        > > problem is, some of my account providers do not support TLS, so
        > > I have to use stunnel. Then, postfix logs
        > > warning: SASL authentication failure: No worthy mechs found
        > > thanks to
        > > smtp_sasl_security_options = noanonymous, noplaintext
        > > and queues the message for retry.
        > >
        > > How can I tell postfix that plaintext auth mechanisms should be
        > > allowed when sending to a specific ip (and maybe port) ?
        > > Of course, I would like to keep plaintext auth disallowed
        > > anywhere else.
        >
        > Separate destinations with incompatible SASL requirements by
        > transport (clone smtp/unix under additional names). Configure
        > each transport's SASL settings via:

        Sure, this works, but why is it a problem? Why not just enforce TLS
        where it is needed?

        http://www.postfix.org/TLS_README.html#client_tls_policy
        http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps

        A Postfix which is using a relayhost is not going to connect to
        random Internet sites, and it is definitely not going to attempt to
        AUTH at any site not configured in $smtp_sasl_password_maps.

        > master.cf:
        > mumble unix ... smtp
        > -o smtp_sasl_security_options=$mumble_sasl_security_options
        >
        > main.cf:
        > mumble_sasl_security_options = ...
        >
        > transport:
        > example.com mumble:[mail.example.com]:587
        >
        > And similarly from sender_dependent_default_transport_maps, ...
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      • Vincent Pelletier
        ... Maybe I m being paranoid, but because not all my relays support TLS I cannot be stricter than smtp_tls_security_level = may without also having separate
        Message 3 of 7 , Jul 16, 2013
        • 0 Attachment
          On Tue, 16 Jul 2013 18:10:27 -0500, /dev/rob0 <rob0@...> wrote:
          > Sure, this works, but why is it a problem? Why not just enforce TLS
          > where it is needed?
          >
          > http://www.postfix.org/TLS_README.html#client_tls_policy
          > http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
          >
          > A Postfix which is using a relayhost is not going to connect to
          > random Internet sites, and it is definitely not going to attempt to
          > AUTH at any site not configured in $smtp_sasl_password_maps.

          Maybe I'm being paranoid, but because not all my relays support TLS I
          cannot be stricter than
          smtp_tls_security_level = may
          without also having separate transports (if I understand correctly).
          So if I do not set noplaintext and someday one of the
          usually-TLS-enabled relays doesn't offer TLS (config hickup...),
          postfix will AUTH.

          --
          Vincent Pelletier
        • Viktor Dukhovni
          ... The suggestion is I believe to use smtp_tls_policy_maps to ensure that TLS is used for destinations where you will be using plaintext authentication. #
          Message 4 of 7 , Jul 17, 2013
          • 0 Attachment
            On Wed, Jul 17, 2013 at 08:19:56AM +0200, Vincent Pelletier wrote:

            > Maybe I'm being paranoid, but because not all my relays support TLS I
            > cannot be stricter than
            > smtp_tls_security_level = may
            > without also having separate transports (if I understand correctly).
            > So if I do not set noplaintext and someday one of the
            > usually-TLS-enabled relays doesn't offer TLS (config hickup...),
            > postfix will AUTH.

            The suggestion is I believe to use smtp_tls_policy_maps to ensure
            that TLS is used for destinations where you will be using plaintext
            authentication.

            # MITM resistant authenticated TLS
            [smtp.example.com]:587 secure match=smtp.example.com

            # MITM vulnerable unauthenticated TLS
            [smtp.example.com]:587 encrypt

            # Some day when provider adopts DNSSEC and publishes a suitable TLSA
            # RRset and you've deployed Postfix 2.11
            #
            [smtp.example.com]:587 dane-only

            --
            Viktor.
          • Vincent Pelletier
            On Wed, 17 Jul 2013 13:37:53 +0000, Viktor Dukhovni ... Thanks, I think I understand now: main.cf (or a few -o in master.cf s submission service):
            Message 5 of 7 , Jul 17, 2013
            • 0 Attachment
              On Wed, 17 Jul 2013 13:37:53 +0000, Viktor Dukhovni
              <postfix-users@...> wrote:
              > The suggestion is I believe to use smtp_tls_policy_maps to ensure
              > that TLS is used for destinations where you will be using plaintext
              > authentication.

              Thanks, I think I understand now:
              main.cf (or a few -o in master.cf's submission service):
              smtp_sasl_security_options = noanonymous
              smtp_tls_security_level = must
              smtp_tls_policy_maps = hash:blah

              blah:
              [127.0.0.1] none

              This is indeed closer to the mental picture I had of the solution
              (host-based lookup), but I didn't notice the need for a laxist
              smtp_sasl_security_options value.

              I've the idea to someday move my postfix setup to a server also sending
              & receiving mails for its own domain. Is it a bad idea (error-prone)
              to mix both of those use cases on a single postfix, generally speaking ?

              If I understand correctly, a setup with both roles would need your
              initial suggestion (which I setup successfully before noticing the
              second reply).

              Regards,
              --
              Vincent Pelletier
            • Viktor Dukhovni
              ... must is not a valid value for smtp_tls_security_level , see the documentation for details. ... Either a secure default and insecure exceptions, or the
              Message 6 of 7 , Jul 17, 2013
              • 0 Attachment
                On Wed, Jul 17, 2013 at 08:10:44PM +0200, Vincent Pelletier wrote:

                > On Wed, 17 Jul 2013 13:37:53 +0000, Viktor Dukhovni
                > <postfix-users@...> wrote:
                > > The suggestion is I believe to use smtp_tls_policy_maps to ensure
                > > that TLS is used for destinations where you will be using plaintext
                > > authentication.
                >
                > Thanks, I think I understand now:
                > main.cf (or a few -o in master.cf's submission service):
                > smtp_sasl_security_options = noanonymous
                > smtp_tls_security_level = must

                "must" is not a valid value for "smtp_tls_security_level", see the
                documentation for details.

                > smtp_tls_policy_maps = hash:blah
                >
                > blah:
                > [127.0.0.1] none

                Either a secure default and insecure exceptions, or the converse.

                --
                Viktor.
              Your message has been successfully submitted and would be delivered to recipients shortly.