1 |
OK, well i disabled the smtpd_tl_auth_only line. |
2 |
|
3 |
And now whenever i try to connect via say outlook express on a client |
4 |
machine... |
5 |
|
6 |
I check the box that says, "my outgoing server requires |
7 |
authentication", and i do get the password prompt, however whichever |
8 |
login/password i try to use it gets rejected, over and over and over again... |
9 |
|
10 |
|
11 |
any suggestions? |
12 |
|
13 |
>X-Original-To: jstrusz@×××××.com |
14 |
>Delivered-To: jstrusz@×××××.com |
15 |
>Delivered-To: <gentoo-security@l.g.o> |
16 |
>Date: Wed, 5 Oct 2005 15:15:22 +0200 (CEST) |
17 |
>Subject: Re: [gentoo-security] postfix and SASL |
18 |
>From: "Joerg Mertin" <smurphy@××××××.org> |
19 |
>To: gentoo-security@l.g.o |
20 |
>User-Agent: SquirrelMail/1.4.4 |
21 |
>List-Post: <mailto:gentoo-security@l.g.o> |
22 |
>List-Help: <mailto:gentoo-security+help@g.o> |
23 |
>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o> |
24 |
>List-Subscribe: <mailto:gentoo-security+subscribe@g.o> |
25 |
>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org> |
26 |
>X-BeenThere: gentoo-security@g.o |
27 |
>Reply-To: gentoo-security@l.g.o |
28 |
>X-Virus-Scanned: ClamAV scanned @ Stargate |
29 |
>X-MIME-Autoconverted: from quoted-printable to 8bit by |
30 |
>robin.gentoo.org id j95D76GO003964 |
31 |
>X-Virus-Scanned: This message was scanned for viruses by ClamAV. |
32 |
>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5 tests=BAYES_00 |
33 |
>X-Spam-Level: |
34 |
> |
35 |
>OK - as this seem to be quite difficutl for many - here my configuration |
36 |
>of postfix - TLS and SASL parts only: |
37 |
> |
38 |
>## TLS |
39 |
># Transport Layer Security |
40 |
># |
41 |
>smtpd_use_tls = yes |
42 |
>smtpd_tls_auth_only = yes |
43 |
>smtpd_tls_key_file = /etc/ssl/postfix/stargate.solsys.org.key |
44 |
>smtpd_tls_cert_file = /etc/ssl/postfix/stargate.solsys.org.crt |
45 |
>smtpd_tls_CAfile = /etc/ssl/postfix/stargate.solsys.org.pem |
46 |
>smtpd_tls_loglevel = 3 |
47 |
>smtpd_tls_received_header = yes |
48 |
>smtpd_tls_session_cache_timeout = 3600s |
49 |
>tls_random_source = dev:/dev/urandom |
50 |
> |
51 |
># SASL SUPPORT FOR CLIENTS |
52 |
># |
53 |
># The following options set parameters needed by Postfix to enable |
54 |
># Cyrus-SASL support for authentication of mail clients. |
55 |
># |
56 |
>broken_sasl_auth_clients = yes |
57 |
>smtpd_sasl_auth_enable = yes |
58 |
>smtpd_sasl_security_options = noanonymous |
59 |
>smtpd_data_restrictions = reject_unauth_pipelining |
60 |
>smtpd_sasl_local_domain = |
61 |
> |
62 |
> |
63 |
>This setup works here for 2 Years ... |
64 |
>Cheers |
65 |
> |
66 |
>Joerg |
67 |
> |
68 |
> |
69 |
><quote who="Joe Strusz"> |
70 |
> > Whenever i telnet to port 25, and issue the AUTH PLAIN command i receive |
71 |
> > this: |
72 |
> > |
73 |
> > 538: Encryption required for requested authentication mechanism. |
74 |
> > |
75 |
> > What does this mean? |
76 |
> > |
77 |
> > I could really use some help on this... its been bugging me for weeks now. |
78 |
> > |
79 |
> > Also, I do have smtpd_tls_auth_only = yes line |
80 |
> > |
81 |
> > |
82 |
> > Please help |
83 |
> > |
84 |
> > blargh. |
85 |
> > |
86 |
> > Your fellow befumbled gentoo user. |
87 |
> > |
88 |
> > |
89 |
> > |
90 |
> >>X-Original-To: jstrusz@×××××.com |
91 |
> >>Delivered-To: jstrusz@×××××.com |
92 |
> >>Delivered-To: <gentoo-security@l.g.o> |
93 |
> >>Date: Wed, 05 Oct 2005 12:36:01 +0100 |
94 |
> >>From: Jonathan Wright <mail@×××××××××.uk> |
95 |
> >>User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050822) |
96 |
> >>X-Accept-Language: en-us, en |
97 |
> >>List-Post: <mailto:gentoo-security@l.g.o> |
98 |
> >>List-Help: <mailto:gentoo-security+help@g.o> |
99 |
> >>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o> |
100 |
> >>List-Subscribe: <mailto:gentoo-security+subscribe@g.o> |
101 |
> >>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org> |
102 |
> >>X-BeenThere: gentoo-security@g.o |
103 |
> >>Reply-To: gentoo-security@l.g.o |
104 |
> >>To: gentoo-security@l.g.o |
105 |
> >>Subject: Re: [gentoo-security] postfix and SASL |
106 |
> >>X-Virus-Scanned: This message was scanned for viruses by ClamAV. |
107 |
> >>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5 |
108 |
> >> tests=BAYES_00 |
109 |
> >>X-Spam-Level: |
110 |
> >> |
111 |
> >>Benjamin A'Lee wrote: |
112 |
> >>>>Not sure but: why on port 25 and not on 465 ? |
113 |
> >>>I don't think it actually matters which port; IIRC it just enables |
114 |
> >>>STARTTLS by default on 465. |
115 |
> >> |
116 |
> >>Port 465 is for SSL (i.e. secure communication before any |
117 |
> >>application data is transferred) and Port 25 accepts TLS (where the |
118 |
> >>data is secured once both parties accept, however, application data |
119 |
> >>transfer has occurred). |
120 |
> >> |
121 |
> >>Anyway, with telnet you can't talk on port 465 :) |
122 |
> >> |
123 |
> >> > I have confirmed postfix is indeed compiled with SASL support. And i |
124 |
> >> > have TLS working great. However when i telnet to port 25 and issue |
125 |
> >> the |
126 |
> >> > ehlo command, i do receive the starttls etc... yet no AUTH PLAIN |
127 |
> >> > lines... |
128 |
> >> |
129 |
> >>Depending on the configuration, AUTH PLAIN can either be disabled, |
130 |
> >>or more likely, it's only send should STARTTLS be issued. I have the |
131 |
> >>following lines in my main.cf: |
132 |
> >> |
133 |
> >>-- cut ----------------------------------------- |
134 |
> >># SMTPD SERVER CONTROLS |
135 |
> >>smtpd_sasl_auth_enable = yes |
136 |
> >>smtpd_sasl_security_options = noanonymous, noplaintext |
137 |
> >>broken_sasl_auth_clients = yes |
138 |
> >>smtpd_sasl_local_domain = |
139 |
> >>smtpd_recipient_restrictions = permit_sasl_authenticated, |
140 |
> >>permit_mynetworks, reject_unauth_destination |
141 |
> >> |
142 |
> >>smtpd_use_tls = yes |
143 |
> >>smtpd_tls_auth_only = yes |
144 |
> >>smtpd_tls_key_file = /etc/postfix/cacert/kenny.key |
145 |
> >>smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem |
146 |
> >>smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem |
147 |
> >>smtpd_tls_loglevel = 1 |
148 |
> >>smtpd_tls_received_header = yes |
149 |
> >>smtpd_tls_session_cache_timeout = 3600s |
150 |
> >>tls_random_source = dev:/dev/urandom |
151 |
> >>-- cut ----------------------------------------- |
152 |
> >> |
153 |
> >>TLS is enabled, but smtpd_tls_auth_only will only permit |
154 |
> >>authorization from clients who have issued (and successfully |
155 |
> >>negotiated) the STARTTLS comment. |
156 |
> >> |
157 |
> >>Also, you can define what methods Postfix accepts by modifying the |
158 |
> >>smtp_sasl_security_options directive. |
159 |
> >> |
160 |
> >>HTH, |
161 |
> >> |
162 |
> >>-- |
163 |
> >> Jonathan Wright ~ mail at djnauk.co.uk |
164 |
> >> ~ www.djnauk.co.uk |
165 |
> >>-- |
166 |
> >> 2.6.12-gentoo-r6-djnauk-b2 AMD Athlon(tm) XP 2100+ |
167 |
> >> up 5 days, 3:02, 4 users, load average: 0.72, 0.97, 0.71 |
168 |
> >>-- |
169 |
> >> "I don't mind straight people as long as they act gay in |
170 |
> >> public." |
171 |
> >> |
172 |
> >> ~ T-shirt worn by Dennis Rodman of the Chicago Bulls |
173 |
> >>-- |
174 |
> >>gentoo-security@g.o mailing list |
175 |
> > |
176 |
> > |
177 |
> > Joe Strusz |
178 |
> > |
179 |
> > IT Assistant |
180 |
> > Oxford Publishing, Inc. |
181 |
> > 307 West Jackson Avenue |
182 |
> > Oxford, MS 38655-2154 |
183 |
> > 800-247-3881 |
184 |
> > 662-236-5510x40 |
185 |
> > jstrusz@×××××.com |
186 |
> > http://www.nightclub.com |
187 |
> > |
188 |
> > |
189 |
> > -- |
190 |
> > gentoo-security@g.o mailing list |
191 |
> > |
192 |
> > |
193 |
> |
194 |
> |
195 |
>-- |
196 |
>------------------------------------------------------------------------ |
197 |
>| Joerg Mertin : smurphy@××××××.org (Home)| |
198 |
>| in Forchheim/Germany : smurphy@×××××.de (Alt1)| |
199 |
>| Stardust's LiNUX System : | |
200 |
>| Web: http://www.solsys.org | |
201 |
>------------------------------------------------------------------------ |
202 |
>PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A |
203 |
> |
204 |
> |
205 |
> |
206 |
>-- |
207 |
>gentoo-security@g.o mailing list |
208 |
|
209 |
|
210 |
Joe Strusz |
211 |
|
212 |
IT Assistant |
213 |
Oxford Publishing, Inc. |
214 |
307 West Jackson Avenue |
215 |
Oxford, MS 38655-2154 |
216 |
800-247-3881 |
217 |
662-236-5510x40 |
218 |
jstrusz@×××××.com |
219 |
http://www.nightclub.com |
220 |
|
221 |
|
222 |
-- |
223 |
gentoo-security@g.o mailing list |