Loading ...
Sorry, an error occurred while loading the content.

Re: FW: Authentication issues

Expand Messages
  • Wietse Venema
    ... http://www.postfix.org/SASL_README.html#server_sasl_enable http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable
    Message 1 of 6 , Aug 24, 2013
    • 0 Attachment
      David Hulsebus:
      > > Probably better is to only offer AUTH on submission port 587 with
      > > required encryption, and not offer AUTH at all on port 25.
      >
      > That is exactly what I want to do. If I uncomment this in the master.cf does
      > it force TLS encryption on port 587 before authentication? If not, how would
      > I do that?
      >
      > submission inet n - - - - smtpd
      > -o smtpd_tls_security_level=encrypt
      > -o smtpd_sasl_auth_enable=yes
      > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      > -o milter_macro_daemon_name=ORIGINATING

      http://www.postfix.org/SASL_README.html#server_sasl_enable
      http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable

      http://www.postfix.org/TLS_README.html#server_tls
      http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only
      http://www.postfix.org/postconf.5.html#smtpd_tls_security_level

      > Further, how do I not allow AUTH on port 25. I can't glean it from the docs.

      http://www.postfix.org/SASL_README.html#server_sasl_enable

      Wietse
    • /dev/rob0
      On Sat, Aug 24, 2013 at 10:01:08AM -0400, David Hulsebus wrote: ... This means any command after EHLO and before STARTTLS will be rejected. TLS encryption is
      Message 2 of 6 , Aug 24, 2013
      • 0 Attachment
        On Sat, Aug 24, 2013 at 10:01:08AM -0400, David Hulsebus wrote:
        Noel:
        > > Probably better is to only offer AUTH on submission port 587
        > > with required encryption, and not offer AUTH at all on port 25.
        >
        > That is exactly what I want to do. If I uncomment this in the
        > master.cf does it force TLS encryption on port 587 before
        > authentication? If not, how would I do that?
        >
        > submission inet n - - - - smtpd
        > -o smtpd_tls_security_level=encrypt

        This means any command after EHLO and before STARTTLS will be
        rejected. TLS encryption is mandatory. See smtpd_tls_auth_only as
        well; that would mean that AUTH is not even offered in the initial
        unencrypted EHLO response. The client must STARTTLS first.

        > -o smtpd_sasl_auth_enable=yes
        > -o smtpd_client_restrictions=permit_sasl_authenticated,reject

        If you're not allowing relay on port 25, you would remove permit_*
        restrictions from smtpd_recipient_restrictions in main.cf and change
        this from client to recipient.

        > -o milter_macro_daemon_name=ORIGINATING

        A non-standard smtpd instance should also have syslog_name set, to
        distinguish it in logs from other smtpd instances.

        -o syslog_name=postfix/submission


        > Further, how do I not allow AUTH on port 25. I can't glean it
        > from the docs.

        By default AUTH is not offered. You enabled that with this in
        main.cf:

        smtpd_sasl_auth_enable = yes

        If you remove that, you do not offer AUTH. You already have the
        override set for submission.
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      Your message has been successfully submitted and would be delivered to recipients shortly.