Loading ...
Sorry, an error occurred while loading the content.

both ssl and tls authentification in postfix

Expand Messages
  • vicafk
    *Hi folks !* I have a small problem with my postfix configuration. I m trying to enable both SSL and TLS support and disable plain auth, however i can only
    Message 1 of 8 , Apr 26, 2014
    • 0 Attachment
      *Hi folks !*

      I have a small problem with my postfix configuration.
      I'm trying to enable both SSL and TLS support and disable plain auth,
      however i can only make one of them work at the same time.
      If i enable SSL than TLS stops working, if i enable TLS, SSL stops working.
      (the error i receive in outlook is "your server does not support the
      selected encryption type) or something like that.

      Also i'm a bit plagued by a startup error which keeps popping up every few
      hours.

      Apr 25 07:09:08 mail postfix/smtpd[75486]: fatal: unexpected command-line
      argument: permit_sasl_authenticated,
      Apr 25 07:09:09 mail postfix/master[58712]: warning: process
      /usr/lib/postfix/smtpd pid 75486 exit status 1
      Apr 25 07:09:09 mail postfix/master[58712]: warning: /usr/lib/postfix/smtpd:
      bad command startup -- throttling

      no matter how i change the smtpd_client_restrictions , with quotes, without
      quotes, all in one line, separate lines the error still pops up.

      Bellow is a link to my main & master.cf :

      http://pastebin.com/TuZFz9s3 <http://pastebin.com/TuZFz9s3>

      Any ideas would be greatly appreciated, thanks !

      Victor



      --
      View this message in context: http://postfix.1071664.n5.nabble.com/both-ssl-and-tls-authentification-in-postfix-tp67427.html
      Sent from the Postfix Users mailing list archive at Nabble.com.
    • Viktor Dukhovni
      ... You re using dumbed-down MUA terminology. In mail client configuration dialogues when a user is asked to choose between SSL and TLS for their SMTP
      Message 2 of 8 , Apr 26, 2014
      • 0 Attachment
        On Sat, Apr 26, 2014 at 07:23:38AM -0700, vicafk wrote:

        > I have a small problem with my postfix configuration.
        > I'm trying to enable both SSL and TLS support and disable plain auth,
        > however i can only make one of them work at the same time.

        You're using dumbed-down MUA terminology. In mail client configuration
        dialogues when a user is asked to choose between SSL and TLS for
        their SMTP connection, they are actually being asked to choose between:

        * Standard STARTTLS over SMTP, typically on port 587, which may
        negotiate any of SSLv3, TLSv1, TLSv1.1, TLSv1.2, ...

        C: TCP SYN
        S: TCP SYN-ACK
        C: ACK
        S: 220 example.net ESMTP
        C: EHLO example.org
        S: 250-example.net
        250 STARTTLS
        C: STARTTLS
        S: 220 Ready to start TLS
        C: SSL/TLS CLIENT HELLO
        S: SSL/TLS SERVER HELLO
        ... complete SSL/TLS handshake ...
        C: EHLO example.org
        S: 250 example.net
        C: AUTH PLAIN ...
        S: 250 Authentication successful
        C: MAIL FROM:<joe@...>
        S: 250 OK
        ... complete mail transaction...
        C: QUIT
        S: 221 Goodbye

        * Deprecated SMTPS inside SSL/TLS, typically on port 465, which may
        negotiate any of SSLv3, TLSv1, TLSv1.1, TLSv1.2, ...

        C: TCP SYN
        S: TCP SYN-ACK
        C: ACK
        C: SSL/TLS CLIENT HELLO
        S: SSL/TLS SERVER HELLO
        ... complete SSL/TLS handshake ...
        C: EHLO example.org
        S: 250 example.net
        C: AUTH PLAIN ...
        S: 250 Authentication successful
        C: MAIL FROM:<joe@...>
        S: 250 OK
        ... complete mail transaction...
        C: QUIT
        S: 221 Goodbye

        On any given submission TCP port (587 or 465) you can either enable
        SMTP + STARTTLS, or the deprecated SMTPS, but not both.

        With Postfix, the "smtpd_tls_wrappermode" parameter selects between
        STARTTLS and SMTPS operation. You'd set it to "yes" in master.cf
        for the optional port 465 service. And optionally configure your
        mail client to use "SSL" on port 465 rather "TLS" on port 587.

        > If I enable SSL than TLS stops working, if i enable TLS, SSL stops working.

        The smtpd_tls_wrappermode setting needs to be made in master.cf for the
        appropriate instance of the smtpd(8) service. The default master.cf
        file from postfix.org contains commented out services for you to enable:

        #submission inet n - n - - smtpd
        # -o syslog_name=postfix/submission
        # -o smtpd_tls_security_level=encrypt
        # -o smtpd_sasl_auth_enable=yes
        # -o smtpd_reject_unlisted_recipient=no
        # -o smtpd_client_restrictions=$mua_client_restrictions
        # -o smtpd_helo_restrictions=$mua_helo_restrictions
        # -o smtpd_sender_restrictions=$mua_sender_restrictions
        # -o smtpd_recipient_restrictions=
        # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        # -o milter_macro_daemon_name=ORIGINATING
        #smtps inet n - n - - smtpd
        # -o syslog_name=postfix/smtps
        # -o smtpd_tls_wrappermode=yes
        # -o smtpd_sasl_auth_enable=yes
        # -o smtpd_reject_unlisted_recipient=no
        # -o smtpd_client_restrictions=$mua_client_restrictions
        # -o smtpd_helo_restrictions=$mua_helo_restrictions
        # -o smtpd_sender_restrictions=$mua_sender_restrictions
        # -o smtpd_recipient_restrictions=
        # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        # -o milter_macro_daemon_name=ORIGINATING

        The "smtps" and "submission" entries are typically already present in
        /etc/services on most machines. You can add these if missing, or use
        port numbers instead of names.

        > Also i'm a bit plagued by a startup error which keeps popping up every few
        > hours.
        >
        > Apr 25 07:09:08 mail postfix/smtpd[75486]: fatal: unexpected command-line
        > argument: permit_sasl_authenticated,

        No spaces are allowed in master.cf parameter settings, use:

        master.cf:
        submission inet ... smtpd
        -o parameter_name=$submission_parameter_name
        smtps inet ... smtpd
        -o parameter_name=$smtps_parameter_name

        main.cf:
        submission_parameter_name = ...
        # Same as for submission, except when not
        smtps_parameter_name = $submission_parameter_name

        > Apr 25 07:09:09 mail postfix/master[58712]: warning: process
        > /usr/lib/postfix/smtpd pid 75486 exit status 1
        > Apr 25 07:09:09 mail postfix/master[58712]: warning: /usr/lib/postfix/smtpd:
        > bad command startup -- throttling

        That's a severe error which must be fixed.

        > no matter how i change the smtpd_client_restrictions , with quotes, without
        > quotes, all in one line, separate lines the error still pops up.

        http://www.postfix.org/master.5.html

        --
        Viktor.
      • Victor Faur
        Well, I tried this : 25 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o
        Message 3 of 8 , Apr 26, 2014
        • 0 Attachment
          Well, I tried this :

          25 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o
          smtpd_sasl_auth_enable=yes -o
          smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,check_
          relay_domains,reject_unauth_destination,reject
          587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o
          smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o
          smtpd_client_restrictions=permit_sasl_authenticated,reject
          465 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o
          smtpd_sasl_auth_enable=yes -o
          smtpd_client_restrictions=permit_sasl_authenticated,reject

          TLS working, SSL not, also had to remove the rbl checks, only way to make
          the startup error go away.
          On the bright side, port 587 is now working properly :)

          -----Original Message-----
          From: owner-postfix-users@...
          [mailto:owner-postfix-users@...] On Behalf Of Viktor Dukhovni
          Sent: Saturday, April 26, 2014 6:12 PM
          To: postfix-users@...
          Subject: Re: both ssl and tls authentification in postfix

          On Sat, Apr 26, 2014 at 07:23:38AM -0700, vicafk wrote:

          > I have a small problem with my postfix configuration.
          > I'm trying to enable both SSL and TLS support and disable plain auth,
          > however i can only make one of them work at the same time.

          You're using dumbed-down MUA terminology. In mail client configuration
          dialogues when a user is asked to choose between SSL and TLS for their SMTP
          connection, they are actually being asked to choose between:

          * Standard STARTTLS over SMTP, typically on port 587, which may
          negotiate any of SSLv3, TLSv1, TLSv1.1, TLSv1.2, ...

          C: TCP SYN
          S: TCP SYN-ACK
          C: ACK
          S: 220 example.net ESMTP
          C: EHLO example.org
          S: 250-example.net
          250 STARTTLS
          C: STARTTLS
          S: 220 Ready to start TLS
          C: SSL/TLS CLIENT HELLO
          S: SSL/TLS SERVER HELLO
          ... complete SSL/TLS handshake ...
          C: EHLO example.org
          S: 250 example.net
          C: AUTH PLAIN ...
          S: 250 Authentication successful
          C: MAIL FROM:<joe@...>
          S: 250 OK
          ... complete mail transaction...
          C: QUIT
          S: 221 Goodbye

          * Deprecated SMTPS inside SSL/TLS, typically on port 465, which may
          negotiate any of SSLv3, TLSv1, TLSv1.1, TLSv1.2, ...

          C: TCP SYN
          S: TCP SYN-ACK
          C: ACK
          C: SSL/TLS CLIENT HELLO
          S: SSL/TLS SERVER HELLO
          ... complete SSL/TLS handshake ...
          C: EHLO example.org
          S: 250 example.net
          C: AUTH PLAIN ...
          S: 250 Authentication successful
          C: MAIL FROM:<joe@...>
          S: 250 OK
          ... complete mail transaction...
          C: QUIT
          S: 221 Goodbye

          On any given submission TCP port (587 or 465) you can either enable SMTP +
          STARTTLS, or the deprecated SMTPS, but not both.

          With Postfix, the "smtpd_tls_wrappermode" parameter selects between STARTTLS
          and SMTPS operation. You'd set it to "yes" in master.cf for the optional
          port 465 service. And optionally configure your mail client to use "SSL" on
          port 465 rather "TLS" on port 587.

          > If I enable SSL than TLS stops working, if i enable TLS, SSL stops
          working.

          The smtpd_tls_wrappermode setting needs to be made in master.cf for the
          appropriate instance of the smtpd(8) service. The default master.cf file
          from postfix.org contains commented out services for you to enable:

          #submission inet n - n - - smtpd
          # -o syslog_name=postfix/submission
          # -o smtpd_tls_security_level=encrypt
          # -o smtpd_sasl_auth_enable=yes
          # -o smtpd_reject_unlisted_recipient=no
          # -o smtpd_client_restrictions=$mua_client_restrictions
          # -o smtpd_helo_restrictions=$mua_helo_restrictions
          # -o smtpd_sender_restrictions=$mua_sender_restrictions
          # -o smtpd_recipient_restrictions=
          # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
          # -o milter_macro_daemon_name=ORIGINATING
          #smtps inet n - n - - smtpd
          # -o syslog_name=postfix/smtps
          # -o smtpd_tls_wrappermode=yes
          # -o smtpd_sasl_auth_enable=yes
          # -o smtpd_reject_unlisted_recipient=no
          # -o smtpd_client_restrictions=$mua_client_restrictions
          # -o smtpd_helo_restrictions=$mua_helo_restrictions
          # -o smtpd_sender_restrictions=$mua_sender_restrictions
          # -o smtpd_recipient_restrictions=
          # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
          # -o milter_macro_daemon_name=ORIGINATING

          The "smtps" and "submission" entries are typically already present in
          /etc/services on most machines. You can add these if missing, or use port
          numbers instead of names.

          > Also i'm a bit plagued by a startup error which keeps popping up every
          > few hours.
          >
          > Apr 25 07:09:08 mail postfix/smtpd[75486]: fatal: unexpected
          > command-line
          > argument: permit_sasl_authenticated,

          No spaces are allowed in master.cf parameter settings, use:

          master.cf:
          submission inet ... smtpd
          -o parameter_name=$submission_parameter_name
          smtps inet ... smtpd
          -o parameter_name=$smtps_parameter_name

          main.cf:
          submission_parameter_name = ...
          # Same as for submission, except when not
          smtps_parameter_name = $submission_parameter_name

          > Apr 25 07:09:09 mail postfix/master[58712]: warning: process
          > /usr/lib/postfix/smtpd pid 75486 exit status 1 Apr 25 07:09:09 mail
          > postfix/master[58712]: warning: /usr/lib/postfix/smtpd:
          > bad command startup -- throttling

          That's a severe error which must be fixed.

          > no matter how i change the smtpd_client_restrictions , with quotes,
          > without quotes, all in one line, separate lines the error still pops up.

          http://www.postfix.org/master.5.html

          --
          Viktor.
        • lists@rhsoft.net
          ... beside the wrong talking about SSL and TLS because both are TLS which is nothing more than SSL = 3.1 - you can google that port 465 needs -o
          Message 4 of 8 , Apr 26, 2014
          • 0 Attachment
            Am 26.04.2014 18:04, schrieb Victor Faur:
            > 25 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o
            > smtpd_sasl_auth_enable=yes -o
            > smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,check_
            > relay_domains,reject_unauth_destination,reject
            > 587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o
            > smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o
            > smtpd_client_restrictions=permit_sasl_authenticated,reject
            > 465 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o
            > smtpd_sasl_auth_enable=yes -o
            > smtpd_client_restrictions=permit_sasl_authenticated,reject
            >
            > TLS working, SSL not

            beside the wrong talking about SSL and TLS because both are TLS
            which is nothing more than SSL >= 3.1 - you can google that

            port 465 needs -o smtpd_tls_wrappermode=yes and please google
            for the differences between STARTTLS and wrappermode, this is
            something you should really understand if you maintain servers

            BTW:
            smtpd_enforce_tls=yes on port 25 is pretty dumb if it is
            a public MX because you can't demand the sender that his
            server supports encryption for outgoing mails
          • lists@rhsoft.net
            why do you reply off-list and top-posting? ... that s why you should start with reading the manuals before acting ... bad enough ... maybe it would be helpful
            Message 5 of 8 , Apr 26, 2014
            • 0 Attachment
              why do you reply off-list and top-posting?

              Am 26.04.2014 18:32, schrieb Victor Faur:
              > Ok, I get it now. I left the wrapper on port 587 and used starttls on 465, I
              > had no idea that the two don't mix

              that's why you should start with reading the manuals before acting

              > (ps, for port 25 I just copy/pasted, wasn't going to leave encryption on, it
              > was just for testing)

              bad enough

              > Configuration now looks like :
              >
              > 25 inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o
              > smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,check_
              > relay_domains,reject_unauth_destination,reject
              > 587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o
              > smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o
              > smtpd_sasl_auth_enable=yes -o
              > smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,check_
              > relay_domains,reject_unauth_destination,reject
              > 465 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o
              > smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o
              > smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,check_
              > relay_domains,reject_unauth_destination,reject
              >
              > Any idea how to add rbl checks in those lines without getting the startup
              > errors ?

              maybe it would be helpful to post "the startup errors"
              just guessing: you can't use options with spaces in master.cf, look below
              why you are packing all in master.cf instead just main.cf - above you are
              repeating most restricitions identical for all listeners - maintainance nightmare

              main.cf:
              mynamed_smtpd_recipient_restrictions = complete-set-of-restrictions

              master.cf:
              -o smtpd_recipient_restrictions=$mynamed_smtpd_recipient_restrictions

              > Thanks for the help, and sorry for the dumb questions, I'm pretty new in
              > postfix.

              here you go as a good start: http://www.postfix.org/documentation.html

              > -----Original Message-----
              > From: owner-postfix-users@...
              > [mailto:owner-postfix-users@...] On Behalf Of lists@...
              > Sent: Saturday, April 26, 2014 7:14 PM
              > To: postfix-users@...
              > Subject: Re: both ssl and tls authentification in postfix
              >
              > Am 26.04.2014 18:04, schrieb Victor Faur:
              >> 25 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o
              >> smtpd_sasl_auth_enable=yes -o
              >> smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,
              >> check_ relay_domains,reject_unauth_destination,reject
              >> 587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o
              >> smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o
              >> smtpd_client_restrictions=permit_sasl_authenticated,reject
              >> 465 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o
              >> smtpd_sasl_auth_enable=yes -o
              >> smtpd_client_restrictions=permit_sasl_authenticated,reject
              >>
              >> TLS working, SSL not
              >
              > beside the wrong talking about SSL and TLS because both are TLS which is
              > nothing more than SSL >= 3.1 - you can google that
              >
              > port 465 needs -o smtpd_tls_wrappermode=yes and please google for the
              > differences between STARTTLS and wrappermode, this is something you should
              > really understand if you maintain servers
              >
              > BTW:
              > smtpd_enforce_tls=yes on port 25 is pretty dumb if it is a public MX because
              > you can't demand the sender that his server supports encryption for outgoing
              > mails
            • Viktor Dukhovni
              ... That s backwards. Wrappermode should be off with port 587 and on with port 465. -- Viktor.
              Message 6 of 8 , Apr 26, 2014
              • 0 Attachment
                On Sat, Apr 26, 2014 at 06:40:02PM +0200, lists@... wrote:

                > Am 26.04.2014 18:32, schrieb Victor Faur:
                > > Ok, I get it now. I left the wrapper on port 587 and used starttls on 465, I
                > > had no idea that the two don't mix

                That's backwards. Wrappermode should be off with port 587 and on
                with port 465.

                --
                Viktor.
              • Nick Edwards
                ... why do you act like list nazi Harold Reindl? pfft nobody cares about your shit
                Message 7 of 8 , Apr 28, 2014
                • 0 Attachment
                  On 4/27/14, lists@... <lists@...> wrote:
                  > why do you reply off-list and top-posting?

                  why do you act like list nazi Harold Reindl?
                  pfft nobody cares about your shit
                • lists@rhsoft.net
                  ... besides nobody has asked you better be quiet instead calling others nazi when you even not manage to write their name correctly while stop reading after
                  Message 8 of 8 , Apr 28, 2014
                  • 0 Attachment
                    Am 28.04.2014 13:43, schrieb Nick Edwards:
                    > On 4/27/14, lists@... <lists@...> wrote:
                    >> why do you reply off-list and top-posting?
                    >
                    > why do you act like list nazi Harold Reindl?
                    > pfft nobody cares about your shit

                    besides nobody has asked you

                    better be quiet instead calling others "nazi" when you even
                    not manage to write their name correctly while stop reading
                    after the first line by ignore the rest of the response

                    if you like it or not: it's not a matter of "list nazi"
                    to explain somebody his bad attitude reply off-list and
                    expect private support after a answer on a mailing-list

                    so do yourself a favor and remove the foam from your mouth
                  Your message has been successfully submitted and would be delivered to recipients shortly.