Loading ...
Sorry, an error occurred while loading the content.
 

Re: sasl on smtps: allowing plaintext

Expand Messages
  • /dev/rob0
    ... Sure, this works, but why is it a problem? Why not just enforce TLS where it is needed? http://www.postfix.org/TLS_README.html#client_tls_policy
    Message 1 of 7 , Jul 16, 2013
      On Tue, Jul 16, 2013 at 10:03:57PM +0000, Viktor Dukhovni wrote:
      > On Tue, Jul 16, 2013 at 11:06:47PM +0200, Vincent Pelletier wrote:
      >
      > > Following pointers and advice from pj and adaptr on freenode,
      > > I've setup postfix on my box to send mail through the mail
      > > accounts I have (including the one I'm sending from now). The
      > > problem is, some of my account providers do not support TLS, so
      > > I have to use stunnel. Then, postfix logs
      > > warning: SASL authentication failure: No worthy mechs found
      > > thanks to
      > > smtp_sasl_security_options = noanonymous, noplaintext
      > > and queues the message for retry.
      > >
      > > How can I tell postfix that plaintext auth mechanisms should be
      > > allowed when sending to a specific ip (and maybe port) ?
      > > Of course, I would like to keep plaintext auth disallowed
      > > anywhere else.
      >
      > Separate destinations with incompatible SASL requirements by
      > transport (clone smtp/unix under additional names). Configure
      > each transport's SASL settings via:

      Sure, this works, but why is it a problem? Why not just enforce TLS
      where it is needed?

      http://www.postfix.org/TLS_README.html#client_tls_policy
      http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps

      A Postfix which is using a relayhost is not going to connect to
      random Internet sites, and it is definitely not going to attempt to
      AUTH at any site not configured in $smtp_sasl_password_maps.

      > master.cf:
      > mumble unix ... smtp
      > -o smtp_sasl_security_options=$mumble_sasl_security_options
      >
      > main.cf:
      > mumble_sasl_security_options = ...
      >
      > transport:
      > example.com mumble:[mail.example.com]:587
      >
      > And similarly from sender_dependent_default_transport_maps, ...
      --
      http://rob0.nodns4.us/ -- system administration and consulting
      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
    • Vincent Pelletier
      ... Maybe I m being paranoid, but because not all my relays support TLS I cannot be stricter than smtp_tls_security_level = may without also having separate
      Message 2 of 7 , Jul 16, 2013
        On Tue, 16 Jul 2013 18:10:27 -0500, /dev/rob0 <rob0@...> wrote:
        > Sure, this works, but why is it a problem? Why not just enforce TLS
        > where it is needed?
        >
        > http://www.postfix.org/TLS_README.html#client_tls_policy
        > http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
        >
        > A Postfix which is using a relayhost is not going to connect to
        > random Internet sites, and it is definitely not going to attempt to
        > AUTH at any site not configured in $smtp_sasl_password_maps.

        Maybe I'm being paranoid, but because not all my relays support TLS I
        cannot be stricter than
        smtp_tls_security_level = may
        without also having separate transports (if I understand correctly).
        So if I do not set noplaintext and someday one of the
        usually-TLS-enabled relays doesn't offer TLS (config hickup...),
        postfix will AUTH.

        --
        Vincent Pelletier
      • Viktor Dukhovni
        ... The suggestion is I believe to use smtp_tls_policy_maps to ensure that TLS is used for destinations where you will be using plaintext authentication. #
        Message 3 of 7 , Jul 17, 2013
          On Wed, Jul 17, 2013 at 08:19:56AM +0200, Vincent Pelletier wrote:

          > Maybe I'm being paranoid, but because not all my relays support TLS I
          > cannot be stricter than
          > smtp_tls_security_level = may
          > without also having separate transports (if I understand correctly).
          > So if I do not set noplaintext and someday one of the
          > usually-TLS-enabled relays doesn't offer TLS (config hickup...),
          > postfix will AUTH.

          The suggestion is I believe to use smtp_tls_policy_maps to ensure
          that TLS is used for destinations where you will be using plaintext
          authentication.

          # MITM resistant authenticated TLS
          [smtp.example.com]:587 secure match=smtp.example.com

          # MITM vulnerable unauthenticated TLS
          [smtp.example.com]:587 encrypt

          # Some day when provider adopts DNSSEC and publishes a suitable TLSA
          # RRset and you've deployed Postfix 2.11
          #
          [smtp.example.com]:587 dane-only

          --
          Viktor.
        • Vincent Pelletier
          On Wed, 17 Jul 2013 13:37:53 +0000, Viktor Dukhovni ... Thanks, I think I understand now: main.cf (or a few -o in master.cf s submission service):
          Message 4 of 7 , Jul 17, 2013
            On Wed, 17 Jul 2013 13:37:53 +0000, Viktor Dukhovni
            <postfix-users@...> wrote:
            > The suggestion is I believe to use smtp_tls_policy_maps to ensure
            > that TLS is used for destinations where you will be using plaintext
            > authentication.

            Thanks, I think I understand now:
            main.cf (or a few -o in master.cf's submission service):
            smtp_sasl_security_options = noanonymous
            smtp_tls_security_level = must
            smtp_tls_policy_maps = hash:blah

            blah:
            [127.0.0.1] none

            This is indeed closer to the mental picture I had of the solution
            (host-based lookup), but I didn't notice the need for a laxist
            smtp_sasl_security_options value.

            I've the idea to someday move my postfix setup to a server also sending
            & receiving mails for its own domain. Is it a bad idea (error-prone)
            to mix both of those use cases on a single postfix, generally speaking ?

            If I understand correctly, a setup with both roles would need your
            initial suggestion (which I setup successfully before noticing the
            second reply).

            Regards,
            --
            Vincent Pelletier
          • Viktor Dukhovni
            ... must is not a valid value for smtp_tls_security_level , see the documentation for details. ... Either a secure default and insecure exceptions, or the
            Message 5 of 7 , Jul 17, 2013
              On Wed, Jul 17, 2013 at 08:10:44PM +0200, Vincent Pelletier wrote:

              > On Wed, 17 Jul 2013 13:37:53 +0000, Viktor Dukhovni
              > <postfix-users@...> wrote:
              > > The suggestion is I believe to use smtp_tls_policy_maps to ensure
              > > that TLS is used for destinations where you will be using plaintext
              > > authentication.
              >
              > Thanks, I think I understand now:
              > main.cf (or a few -o in master.cf's submission service):
              > smtp_sasl_security_options = noanonymous
              > smtp_tls_security_level = must

              "must" is not a valid value for "smtp_tls_security_level", see the
              documentation for details.

              > smtp_tls_policy_maps = hash:blah
              >
              > blah:
              > [127.0.0.1] none

              Either a secure default and insecure exceptions, or the converse.

              --
              Viktor.
            Your message has been successfully submitted and would be delivered to recipients shortly.