1 |
Benjamin A'Lee wrote: |
2 |
>>Not sure but: why on port 25 and not on 465 ? |
3 |
> |
4 |
> I don't think it actually matters which port; IIRC it just enables |
5 |
> STARTTLS by default on 465. |
6 |
|
7 |
Port 465 is for SSL (i.e. secure communication before any application |
8 |
data is transferred) and Port 25 accepts TLS (where the data is secured |
9 |
once both parties accept, however, application data transfer has occurred). |
10 |
|
11 |
Anyway, with telnet you can't talk on port 465 :) |
12 |
|
13 |
> I have confirmed postfix is indeed compiled with SASL support. And i |
14 |
> have TLS working great. However when i telnet to port 25 and issue the |
15 |
> ehlo command, i do receive the starttls etc... yet no AUTH PLAIN |
16 |
> lines... |
17 |
|
18 |
Depending on the configuration, AUTH PLAIN can either be disabled, or |
19 |
more likely, it's only send should STARTTLS be issued. I have the |
20 |
following lines in my main.cf: |
21 |
|
22 |
-- cut ----------------------------------------- |
23 |
# SMTPD SERVER CONTROLS |
24 |
smtpd_sasl_auth_enable = yes |
25 |
smtpd_sasl_security_options = noanonymous, noplaintext |
26 |
broken_sasl_auth_clients = yes |
27 |
smtpd_sasl_local_domain = |
28 |
smtpd_recipient_restrictions = permit_sasl_authenticated, |
29 |
permit_mynetworks, reject_unauth_destination |
30 |
|
31 |
smtpd_use_tls = yes |
32 |
smtpd_tls_auth_only = yes |
33 |
smtpd_tls_key_file = /etc/postfix/cacert/kenny.key |
34 |
smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem |
35 |
smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem |
36 |
smtpd_tls_loglevel = 1 |
37 |
smtpd_tls_received_header = yes |
38 |
smtpd_tls_session_cache_timeout = 3600s |
39 |
tls_random_source = dev:/dev/urandom |
40 |
-- cut ----------------------------------------- |
41 |
|
42 |
TLS is enabled, but smtpd_tls_auth_only will only permit authorization |
43 |
from clients who have issued (and successfully negotiated) the STARTTLS |
44 |
comment. |
45 |
|
46 |
Also, you can define what methods Postfix accepts by modifying the |
47 |
smtp_sasl_security_options directive. |
48 |
|
49 |
HTH, |
50 |
|
51 |
-- |
52 |
Jonathan Wright ~ mail at djnauk.co.uk |
53 |
~ www.djnauk.co.uk |
54 |
-- |
55 |
2.6.12-gentoo-r6-djnauk-b2 AMD Athlon(tm) XP 2100+ |
56 |
up 5 days, 3:02, 4 users, load average: 0.72, 0.97, 0.71 |
57 |
-- |
58 |
"I don't mind straight people as long as they act gay in |
59 |
public." |
60 |
|
61 |
~ T-shirt worn by Dennis Rodman of the Chicago Bulls |
62 |
-- |
63 |
gentoo-security@g.o mailing list |