Loading ...
Sorry, an error occurred while loading the content.

Re: FW: Authentication issues

Expand Messages
  • Noel Jones
    ... The setting above is typically used as a -o override option for the submission service on port 587, never for general SMTP on port 25. If you must offer
    Message 1 of 6 , Aug 23, 2013
    • 0 Attachment
      On 8/23/2013 9:35 PM, David Hulsebus wrote:
      >
      > When I added "noplaintext" as a security option and because MD5 was in the
      > mech list SASL complained about no auth mechanism when it started. MD5 was
      > already in the mech list but never failed because auth never reached it in
      > the past, plain took precedence.
      >
      > I removed "noplaintext" and removed everything but plain and login in the
      > mech list and all works well again.
      >
      > Thank you to all who offered your expertise. I have a follow up question.
      >
      > Why shouldn't I require TLS to encrypt all sessions for any clients who
      > authenticates to send mail out. Isn't that what following parameter
      > accomplishes ?
      >
      > smtpd_tls_security_level = encrypt

      The setting above is typically used as a -o override option for the
      submission service on port 587, never for general SMTP on port 25.

      If you must offer AUTH on port 25, most folks also set
      # main.cf
      smtpd_tls_auth_only = yes
      to require encryption before AUTH is even offered. See:
      http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only

      Probably better is to only offer AUTH on submission port 587 with
      required encryption, and not offer AUTH at all on port 25. Although
      getting all your clients to change their settings can be a challenge...


      -- Noel Jones
    • David Hulsebus
      ... That is exactly what I want to do. If I uncomment this in the master.cf does it force TLS encryption on port 587 before authentication? If not, how would I
      Message 2 of 6 , Aug 24, 2013
      • 0 Attachment
        > Probably better is to only offer AUTH on submission port 587 with
        > required encryption, and not offer AUTH at all on port 25.

        That is exactly what I want to do. If I uncomment this in the master.cf does
        it force TLS encryption on port 587 before authentication? If not, how would
        I do that?

        submission inet n - - - - smtpd
        -o smtpd_tls_security_level=encrypt
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o milter_macro_daemon_name=ORIGINATING

        Further, how do I not allow AUTH on port 25. I can't glean it from the docs.

        Thank you, Dave
      • Wietse Venema
        ... http://www.postfix.org/SASL_README.html#server_sasl_enable http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable
        Message 3 of 6 , Aug 24, 2013
        • 0 Attachment
          David Hulsebus:
          > > Probably better is to only offer AUTH on submission port 587 with
          > > required encryption, and not offer AUTH at all on port 25.
          >
          > That is exactly what I want to do. If I uncomment this in the master.cf does
          > it force TLS encryption on port 587 before authentication? If not, how would
          > I do that?
          >
          > submission inet n - - - - smtpd
          > -o smtpd_tls_security_level=encrypt
          > -o smtpd_sasl_auth_enable=yes
          > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          > -o milter_macro_daemon_name=ORIGINATING

          http://www.postfix.org/SASL_README.html#server_sasl_enable
          http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable

          http://www.postfix.org/TLS_README.html#server_tls
          http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only
          http://www.postfix.org/postconf.5.html#smtpd_tls_security_level

          > Further, how do I not allow AUTH on port 25. I can't glean it from the docs.

          http://www.postfix.org/SASL_README.html#server_sasl_enable

          Wietse
        • /dev/rob0
          On Sat, Aug 24, 2013 at 10:01:08AM -0400, David Hulsebus wrote: ... This means any command after EHLO and before STARTTLS will be rejected. TLS encryption is
          Message 4 of 6 , Aug 24, 2013
          • 0 Attachment
            On Sat, Aug 24, 2013 at 10:01:08AM -0400, David Hulsebus wrote:
            Noel:
            > > Probably better is to only offer AUTH on submission port 587
            > > with required encryption, and not offer AUTH at all on port 25.
            >
            > That is exactly what I want to do. If I uncomment this in the
            > master.cf does it force TLS encryption on port 587 before
            > authentication? If not, how would I do that?
            >
            > submission inet n - - - - smtpd
            > -o smtpd_tls_security_level=encrypt

            This means any command after EHLO and before STARTTLS will be
            rejected. TLS encryption is mandatory. See smtpd_tls_auth_only as
            well; that would mean that AUTH is not even offered in the initial
            unencrypted EHLO response. The client must STARTTLS first.

            > -o smtpd_sasl_auth_enable=yes
            > -o smtpd_client_restrictions=permit_sasl_authenticated,reject

            If you're not allowing relay on port 25, you would remove permit_*
            restrictions from smtpd_recipient_restrictions in main.cf and change
            this from client to recipient.

            > -o milter_macro_daemon_name=ORIGINATING

            A non-standard smtpd instance should also have syslog_name set, to
            distinguish it in logs from other smtpd instances.

            -o syslog_name=postfix/submission


            > Further, how do I not allow AUTH on port 25. I can't glean it
            > from the docs.

            By default AUTH is not offered. You enabled that with this in
            main.cf:

            smtpd_sasl_auth_enable = yes

            If you remove that, you do not offer AUTH. You already have the
            override set for submission.
            --
            http://rob0.nodns4.us/ -- system administration and consulting
            Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
          Your message has been successfully submitted and would be delivered to recipients shortly.