Loading ...
Sorry, an error occurred while loading the content.

FW: Authentication issues

Expand Messages
  • David Hulsebus
    When I added noplaintext as a security option and because MD5 was in the mech list SASL complained about no auth mechanism when it started. MD5 was already
    Message 1 of 6 , Aug 23, 2013
    • 0 Attachment
      When I added "noplaintext" as a security option and because MD5 was in the
      mech list SASL complained about no auth mechanism when it started. MD5 was
      already in the mech list but never failed because auth never reached it in
      the past, plain took precedence.

      I removed "noplaintext" and removed everything but plain and login in the
      mech list and all works well again.

      Thank you to all who offered your expertise. I have a follow up question.

      Why shouldn't I require TLS to encrypt all sessions for any clients who
      authenticates to send mail out. Isn't that what following parameter
      accomplishes ?

      smtpd_tls_security_level = encrypt

      The manual says "Encrypt - MUST NOT be applied in case of a
      publicly-referenced SMTP server."

      I don't want to require other mail servers to use TLS but looking at the
      logs tells me many clients are connecting via phones and hotspots.

      So any passing of plain text passwords over an unencrypted session is not
      wise.

      Thanks to those offered upgrade advise. 8.04 should have been upgraded a
      year ago and had I been here it would have. I installed a few 12.04 LTS
      systems today to begin testing. I had a peek at a couple web server, backup
      servers, logging, etc... none of it looks pretty.

      I have a few more questions but they don't involve this thread and I will
      read more before I ask.

      Thanks again, Dave
    • Manuel Bieling
      ... You should require TLS. Using smtpd_tls_auth_only = yes achieves to not accept SASL authentication over unencrypted connections [1] without effecting
      Message 2 of 6 , Aug 23, 2013
      • 0 Attachment
        On 08/24/2013 04:35 AM, David Hulsebus wrote:
        > Why shouldn't I require TLS to encrypt all sessions for any clients who
        > authenticates to send mail out. Isn't that what following parameter
        > accomplishes ?
        >
        > smtpd_tls_security_level = encrypt
        >
        > The manual says "Encrypt - MUST NOT be applied in case of a
        > publicly-referenced SMTP server."

        You should require TLS. Using 'smtpd_tls_auth_only = yes' achieves to
        not accept SASL authentication over unencrypted connections [1] without
        effecting your security level globally.

        I would recommend to use 'smtpd_tls_security_level = may' on port 25.
        However, i prefer to use port 587 for authenticated mail submission and
        'smtpd_tls_security_level = encrypt' might be suitable in this case.

        > So any passing of plain text passwords over an unencrypted session is not
        > wise.
        >
        Right.

        [1]: http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only
        --
        GPG Key: B0CD87E2 (1C46 4291 FD7A A695 795F 537C BAD0 8AEB B0CD 87E2)
        --Manuel Bieling
      • Noel Jones
        ... The setting above is typically used as a -o override option for the submission service on port 587, never for general SMTP on port 25. If you must offer
        Message 3 of 6 , Aug 23, 2013
        • 0 Attachment
          On 8/23/2013 9:35 PM, David Hulsebus wrote:
          >
          > When I added "noplaintext" as a security option and because MD5 was in the
          > mech list SASL complained about no auth mechanism when it started. MD5 was
          > already in the mech list but never failed because auth never reached it in
          > the past, plain took precedence.
          >
          > I removed "noplaintext" and removed everything but plain and login in the
          > mech list and all works well again.
          >
          > Thank you to all who offered your expertise. I have a follow up question.
          >
          > Why shouldn't I require TLS to encrypt all sessions for any clients who
          > authenticates to send mail out. Isn't that what following parameter
          > accomplishes ?
          >
          > smtpd_tls_security_level = encrypt

          The setting above is typically used as a -o override option for the
          submission service on port 587, never for general SMTP on port 25.

          If you must offer AUTH on port 25, most folks also set
          # main.cf
          smtpd_tls_auth_only = yes
          to require encryption before AUTH is even offered. See:
          http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only

          Probably better is to only offer AUTH on submission port 587 with
          required encryption, and not offer AUTH at all on port 25. Although
          getting all your clients to change their settings can be a challenge...


          -- Noel Jones
        • David Hulsebus
          ... That is exactly what I want to do. If I uncomment this in the master.cf does it force TLS encryption on port 587 before authentication? If not, how would I
          Message 4 of 6 , Aug 24, 2013
          • 0 Attachment
            > Probably better is to only offer AUTH on submission port 587 with
            > required encryption, and not offer AUTH at all on port 25.

            That is exactly what I want to do. If I uncomment this in the master.cf does
            it force TLS encryption on port 587 before authentication? If not, how would
            I do that?

            submission inet n - - - - smtpd
            -o smtpd_tls_security_level=encrypt
            -o smtpd_sasl_auth_enable=yes
            -o smtpd_client_restrictions=permit_sasl_authenticated,reject
            -o milter_macro_daemon_name=ORIGINATING

            Further, how do I not allow AUTH on port 25. I can't glean it from the docs.

            Thank you, Dave
          • Wietse Venema
            ... http://www.postfix.org/SASL_README.html#server_sasl_enable http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable
            Message 5 of 6 , Aug 24, 2013
            • 0 Attachment
              David Hulsebus:
              > > Probably better is to only offer AUTH on submission port 587 with
              > > required encryption, and not offer AUTH at all on port 25.
              >
              > That is exactly what I want to do. If I uncomment this in the master.cf does
              > it force TLS encryption on port 587 before authentication? If not, how would
              > I do that?
              >
              > submission inet n - - - - smtpd
              > -o smtpd_tls_security_level=encrypt
              > -o smtpd_sasl_auth_enable=yes
              > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
              > -o milter_macro_daemon_name=ORIGINATING

              http://www.postfix.org/SASL_README.html#server_sasl_enable
              http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable

              http://www.postfix.org/TLS_README.html#server_tls
              http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only
              http://www.postfix.org/postconf.5.html#smtpd_tls_security_level

              > Further, how do I not allow AUTH on port 25. I can't glean it from the docs.

              http://www.postfix.org/SASL_README.html#server_sasl_enable

              Wietse
            • /dev/rob0
              On Sat, Aug 24, 2013 at 10:01:08AM -0400, David Hulsebus wrote: ... This means any command after EHLO and before STARTTLS will be rejected. TLS encryption is
              Message 6 of 6 , Aug 24, 2013
              • 0 Attachment
                On Sat, Aug 24, 2013 at 10:01:08AM -0400, David Hulsebus wrote:
                Noel:
                > > Probably better is to only offer AUTH on submission port 587
                > > with required encryption, and not offer AUTH at all on port 25.
                >
                > That is exactly what I want to do. If I uncomment this in the
                > master.cf does it force TLS encryption on port 587 before
                > authentication? If not, how would I do that?
                >
                > submission inet n - - - - smtpd
                > -o smtpd_tls_security_level=encrypt

                This means any command after EHLO and before STARTTLS will be
                rejected. TLS encryption is mandatory. See smtpd_tls_auth_only as
                well; that would mean that AUTH is not even offered in the initial
                unencrypted EHLO response. The client must STARTTLS first.

                > -o smtpd_sasl_auth_enable=yes
                > -o smtpd_client_restrictions=permit_sasl_authenticated,reject

                If you're not allowing relay on port 25, you would remove permit_*
                restrictions from smtpd_recipient_restrictions in main.cf and change
                this from client to recipient.

                > -o milter_macro_daemon_name=ORIGINATING

                A non-standard smtpd instance should also have syslog_name set, to
                distinguish it in logs from other smtpd instances.

                -o syslog_name=postfix/submission


                > Further, how do I not allow AUTH on port 25. I can't glean it
                > from the docs.

                By default AUTH is not offered. You enabled that with this in
                main.cf:

                smtpd_sasl_auth_enable = yes

                If you remove that, you do not offer AUTH. You already have the
                override set for submission.
                --
                http://rob0.nodns4.us/ -- system administration and consulting
                Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
              Your message has been successfully submitted and would be delivered to recipients shortly.