Loading ...
Sorry, an error occurred while loading the content.

Problems with sasl auth, and tls (secured flag)

Expand Messages
  • Nathan Coulson
    I wanted users to have the choice between connecting via TLS or not. By default, users would require TLS unless they choose otherwise. There is an existing
    Message 1 of 5 , Mar 6, 2014
    • 0 Attachment
      I wanted users to have the choice between connecting via TLS or not.
      By default, users would require TLS unless they choose otherwise.

      There is an existing userbase where some users use SSL/TLS, and others
      do not.



      We use dovecot for authentication. The auth protocol as mentioned at
      http://wiki2.dovecot.org/Design/AuthProtocol can accept a flag "secured"
      indicating if the sasl user is connecting securely (TLS, or localhost).
      smtpd_sasl_type = dovecot
      smtpd_sasl_auth_enable = yes

      In testing, we were seeing the following results:

      smtpd_tls_security_level=may
      AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011resp=


      smtpd_tls_security_level=encrypt
      AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011secured#011resp=



      The secured flag is only set when the level is set to encrypt. I would
      expect it to be set for any client that connects via TLS.


      Software:
      Postfix 2.6.6
      dovecot 2.2.5
    • Wietse Venema
      ... No, the secured flag is set when the client requests STARTTLS. Wietse /* * Set up a new server context for this connection. */ #ifdef USE_TLS tls_flag =
      Message 2 of 5 , Mar 6, 2014
      • 0 Attachment
        Nathan Coulson:
        > In testing, we were seeing the following results:
        >
        > smtpd_tls_security_level=may
        > AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011resp=
        >
        > smtpd_tls_security_level=encrypt
        > AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011secured#011resp=
        >
        > The secured flag is only set when the level is set to encrypt. I would
        > expect it to be set for any client that connects via TLS.

        No, the secured flag is set when the client requests STARTTLS.

        Wietse

        /*
        * Set up a new server context for this connection.
        */
        #ifdef USE_TLS
        tls_flag = state->tls_context != 0;
        #else
        tls_flag = 0;
        #endif
        ...
        if ((state->sasl_server =
        XSASL_SERVER_CREATE(smtpd_sasl_impl, &create_args,
        stream = state->client,
        server_addr = (state->dest_addr ?
        state->dest_addr : ""),
        client_addr = ADDR_OR_EMPTY(state->addr,
        CLIENT_ADDR_UNKNOWN),
        service = var_smtpd_sasl_service,
        user_realm = REALM_OR_NULL(var_smtpd_sasl_realm),
        security_options = sasl_opts_val,
        tls_flag = tls_flag)) == 0)
        msg_fatal("SASL per-connection initialization failed");
      • Nathan Coulson
        ... The client (Using Thunderbird) is configured to use port 587, with STARTTLS. I did some more digging to confirm this, and from the logs it looks like it
        Message 3 of 5 , Mar 6, 2014
        • 0 Attachment
          On 14-03-06 11:25 AM, Wietse Venema wrote:
          > Nathan Coulson:
          >> In testing, we were seeing the following results:
          >>
          >> smtpd_tls_security_level=may
          >> AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011resp=
          >>
          >> smtpd_tls_security_level=encrypt
          >> AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011secured#011resp=
          >>
          >> The secured flag is only set when the level is set to encrypt. I would
          >> expect it to be set for any client that connects via TLS.
          > No, the secured flag is set when the client requests STARTTLS.
          >
          > Wietse
          >
          > /*
          > * Set up a new server context for this connection.
          > */
          > #ifdef USE_TLS
          > tls_flag = state->tls_context != 0;
          > #else
          > tls_flag = 0;
          > #endif
          > ...
          > if ((state->sasl_server =
          > XSASL_SERVER_CREATE(smtpd_sasl_impl, &create_args,
          > stream = state->client,
          > server_addr = (state->dest_addr ?
          > state->dest_addr : ""),
          > client_addr = ADDR_OR_EMPTY(state->addr,
          > CLIENT_ADDR_UNKNOWN),
          > service = var_smtpd_sasl_service,
          > user_realm = REALM_OR_NULL(var_smtpd_sasl_realm),
          > security_options = sasl_opts_val,
          > tls_flag = tls_flag)) == 0)
          > msg_fatal("SASL per-connection initialization failed");

          The client (Using Thunderbird) is configured to use port 587, with
          STARTTLS. I did some more digging to confirm this, and from the logs it
          looks like it is requesting and using starttls.


          Mar 6 11:58:52 postfix postfix/smtpd[20189]:
          xsasl_dovecot_server_connect: auth reply: VERSION?1?1
          Mar 6 11:58:52 postfix postfix/smtpd[20189]:
          xsasl_dovecot_server_connect: auth reply: MECH?PLAIN?plaintext
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: name_mask: plaintext
          Mar 6 11:58:52 postfix postfix/smtpd[20189]:
          xsasl_dovecot_server_connect: auth reply: MECH?LOGIN?plaintext
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: name_mask: plaintext
          Mar 6 11:58:52 postfix postfix/smtpd[20189]:
          xsasl_dovecot_server_connect: auth reply: SPID?20191
          Mar 6 11:58:52 postfix postfix/smtpd[20189]:
          xsasl_dovecot_server_connect: auth reply: CUID?1
          Mar 6 11:58:52 postfix postfix/smtpd[20189]:
          xsasl_dovecot_server_connect: auth reply:
          COOKIE?c3217471bba339e1ac8623fa290932fc
          Mar 6 11:58:52 postfix postfix/smtpd[20189]:
          xsasl_dovecot_server_connect: auth reply: DONE
          Mar 6 11:58:52 postfix postfix/smtpd[20189]:
          xsasl_dovecot_server_mech_filter: keep mechanism: PLAIN
          Mar 6 11:58:52 postfix postfix/smtpd[20189]:
          xsasl_dovecot_server_mech_filter: keep mechanism: LOGIN
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: watchdog_pat: 0x7f6dce013730
          Mar 6 11:58:52 postfix dovecot: auth: Debug: auth client connected (pid=0)
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: < [IP1]: EHLO [IP2]
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-[HOSTNAME HERE]
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-PIPELINING
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-SIZE 204800000
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-VRFY
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-ETRN
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-STARTTLS
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-AUTH PLAIN LOGIN
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: match_list_match: IP1: no
          match
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-AUTH=PLAIN LOGIN
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]:
          250-ENHANCEDSTATUSCODES
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-8BITMIME
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250 DSN
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: watchdog_pat: 0x7f6dce013730
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: < [IP1]: STARTTLS
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 220 2.0.0 Ready
          to start TLS
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: send attr request = seed
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: send attr size = 32
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: private/tlsmgr: wanted
          attribute: status
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: input attribute name: status
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: input attribute value: 0
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: private/tlsmgr: wanted
          attribute: seed
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: input attribute name: seed
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: input attribute value:
          QsmI4b31iwCHbOZQ+JsrBXMJRqFizERI0hWa6lZP5wo=
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: private/tlsmgr: wanted
          attribute: (list terminator)
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: input attribute name: (end)
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: watchdog_pat: 0x7f6dce013730
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: < [IP1]: EHLO [IP2]
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-[HOSTNAME HERE]
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-PIPELINING
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-SIZE 204800000
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-VRFY
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-ETRN
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-AUTH PLAIN LOGIN
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: match_list_match: IP1: no
          match
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-AUTH=PLAIN LOGIN
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]:
          250-ENHANCEDSTATUSCODES
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-8BITMIME
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250 DSN
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: watchdog_pat: 0x7f6dce013730
          Mar 6 11:58:52 postfix postfix/smtpd[20189]: < [IP1]: AUTH PLAIN
          AHRlc3QxQG5jb3Vsc29uLmNvbQB0ZXN0
          Mar 6 11:58:52 postfix postfix/smtpd[20189]:
          xsasl_dovecot_server_first: sasl_method PLAIN, init_response
          AHRlc3QxQG5jb3Vsc29uLmNvbQB0ZXN0
          Mar 6 11:58:52 postfix dovecot: auth: Debug: client in:
          AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=IP3#011rip=IP1#011resp=<hidden>
        • Wietse Venema
          The source code does not lie. I suppose someone down-stream improved it. Wietse
          Message 4 of 5 , Mar 6, 2014
          • 0 Attachment
            The source code does not lie. I suppose someone down-stream improved it.

            Wietse
          • Nathan Coulson
            ... (Trimmed the log I posted on the last email) I tested postfix from RHEL 7 beta (2.10.1), and it passes on the secured flag when using STARTTLS.
            Message 5 of 5 , Mar 6, 2014
            • 0 Attachment
              On 14-03-06 12:15 PM, Nathan Coulson wrote:
              > On 14-03-06 11:25 AM, Wietse Venema wrote:
              >> Nathan Coulson:
              >>> In testing, we were seeing the following results:
              >>>
              >>> smtpd_tls_security_level=may
              >>> AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011resp=
              >>>
              >>>
              >>> smtpd_tls_security_level=encrypt
              >>> AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011secured#011resp=
              >>>
              >>>
              >>> The secured flag is only set when the level is set to encrypt. I would
              >>> expect it to be set for any client that connects via TLS.
              >> No, the secured flag is set when the client requests STARTTLS.
              >>
              >> Wietse
              >>
              >> /*
              >> * Set up a new server context for this connection.
              >> */
              >> #ifdef USE_TLS
              >> tls_flag = state->tls_context != 0;
              >> #else
              >> tls_flag = 0;
              >> #endif
              >> ...
              >> if ((state->sasl_server =
              >> XSASL_SERVER_CREATE(smtpd_sasl_impl, &create_args,
              >> stream = state->client,
              >> server_addr = (state->dest_addr ?
              >> state->dest_addr : ""),
              >> client_addr = ADDR_OR_EMPTY(state->addr,
              >> CLIENT_ADDR_UNKNOWN),
              >> service = var_smtpd_sasl_service,
              >> user_realm =
              >> REALM_OR_NULL(var_smtpd_sasl_realm),
              >> security_options = sasl_opts_val,
              >> tls_flag = tls_flag)) == 0)
              >> msg_fatal("SASL per-connection initialization failed");
              >
              > The client (Using Thunderbird) is configured to use port 587, with
              > STARTTLS. I did some more digging to confirm this, and from the logs
              > it looks like it is requesting and using starttls.
              >
              >
              (Trimmed the log I posted on the last email)

              I tested postfix from RHEL 7 beta (2.10.1), and it passes on the secured
              flag when using STARTTLS.
            Your message has been successfully submitted and would be delivered to recipients shortly.