1 |
OK - as this seem to be quite difficutl for many - here my configuration |
2 |
of postfix - TLS and SASL parts only: |
3 |
|
4 |
## TLS |
5 |
# Transport Layer Security |
6 |
# |
7 |
smtpd_use_tls = yes |
8 |
smtpd_tls_auth_only = yes |
9 |
smtpd_tls_key_file = /etc/ssl/postfix/stargate.solsys.org.key |
10 |
smtpd_tls_cert_file = /etc/ssl/postfix/stargate.solsys.org.crt |
11 |
smtpd_tls_CAfile = /etc/ssl/postfix/stargate.solsys.org.pem |
12 |
smtpd_tls_loglevel = 3 |
13 |
smtpd_tls_received_header = yes |
14 |
smtpd_tls_session_cache_timeout = 3600s |
15 |
tls_random_source = dev:/dev/urandom |
16 |
|
17 |
# SASL SUPPORT FOR CLIENTS |
18 |
# |
19 |
# The following options set parameters needed by Postfix to enable |
20 |
# Cyrus-SASL support for authentication of mail clients. |
21 |
# |
22 |
broken_sasl_auth_clients = yes |
23 |
smtpd_sasl_auth_enable = yes |
24 |
smtpd_sasl_security_options = noanonymous |
25 |
smtpd_data_restrictions = reject_unauth_pipelining |
26 |
smtpd_sasl_local_domain = |
27 |
|
28 |
|
29 |
This setup works here for 2 Years ... |
30 |
Cheers |
31 |
|
32 |
Joerg |
33 |
|
34 |
|
35 |
<quote who="Joe Strusz"> |
36 |
> Whenever i telnet to port 25, and issue the AUTH PLAIN command i receive |
37 |
> this: |
38 |
> |
39 |
> 538: Encryption required for requested authentication mechanism. |
40 |
> |
41 |
> What does this mean? |
42 |
> |
43 |
> I could really use some help on this... its been bugging me for weeks now. |
44 |
> |
45 |
> Also, I do have smtpd_tls_auth_only = yes line |
46 |
> |
47 |
> |
48 |
> Please help |
49 |
> |
50 |
> blargh. |
51 |
> |
52 |
> Your fellow befumbled gentoo user. |
53 |
> |
54 |
> |
55 |
> |
56 |
>>X-Original-To: jstrusz@×××××.com |
57 |
>>Delivered-To: jstrusz@×××××.com |
58 |
>>Delivered-To: <gentoo-security@l.g.o> |
59 |
>>Date: Wed, 05 Oct 2005 12:36:01 +0100 |
60 |
>>From: Jonathan Wright <mail@×××××××××.uk> |
61 |
>>User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050822) |
62 |
>>X-Accept-Language: en-us, en |
63 |
>>List-Post: <mailto:gentoo-security@l.g.o> |
64 |
>>List-Help: <mailto:gentoo-security+help@g.o> |
65 |
>>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o> |
66 |
>>List-Subscribe: <mailto:gentoo-security+subscribe@g.o> |
67 |
>>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org> |
68 |
>>X-BeenThere: gentoo-security@g.o |
69 |
>>Reply-To: gentoo-security@l.g.o |
70 |
>>To: gentoo-security@l.g.o |
71 |
>>Subject: Re: [gentoo-security] postfix and SASL |
72 |
>>X-Virus-Scanned: This message was scanned for viruses by ClamAV. |
73 |
>>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5 |
74 |
>> tests=BAYES_00 |
75 |
>>X-Spam-Level: |
76 |
>> |
77 |
>>Benjamin A'Lee wrote: |
78 |
>>>>Not sure but: why on port 25 and not on 465 ? |
79 |
>>>I don't think it actually matters which port; IIRC it just enables |
80 |
>>>STARTTLS by default on 465. |
81 |
>> |
82 |
>>Port 465 is for SSL (i.e. secure communication before any |
83 |
>>application data is transferred) and Port 25 accepts TLS (where the |
84 |
>>data is secured once both parties accept, however, application data |
85 |
>>transfer has occurred). |
86 |
>> |
87 |
>>Anyway, with telnet you can't talk on port 465 :) |
88 |
>> |
89 |
>> > I have confirmed postfix is indeed compiled with SASL support. And i |
90 |
>> > have TLS working great. However when i telnet to port 25 and issue |
91 |
>> the |
92 |
>> > ehlo command, i do receive the starttls etc... yet no AUTH PLAIN |
93 |
>> > lines... |
94 |
>> |
95 |
>>Depending on the configuration, AUTH PLAIN can either be disabled, |
96 |
>>or more likely, it's only send should STARTTLS be issued. I have the |
97 |
>>following lines in my main.cf: |
98 |
>> |
99 |
>>-- cut ----------------------------------------- |
100 |
>># SMTPD SERVER CONTROLS |
101 |
>>smtpd_sasl_auth_enable = yes |
102 |
>>smtpd_sasl_security_options = noanonymous, noplaintext |
103 |
>>broken_sasl_auth_clients = yes |
104 |
>>smtpd_sasl_local_domain = |
105 |
>>smtpd_recipient_restrictions = permit_sasl_authenticated, |
106 |
>>permit_mynetworks, reject_unauth_destination |
107 |
>> |
108 |
>>smtpd_use_tls = yes |
109 |
>>smtpd_tls_auth_only = yes |
110 |
>>smtpd_tls_key_file = /etc/postfix/cacert/kenny.key |
111 |
>>smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem |
112 |
>>smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem |
113 |
>>smtpd_tls_loglevel = 1 |
114 |
>>smtpd_tls_received_header = yes |
115 |
>>smtpd_tls_session_cache_timeout = 3600s |
116 |
>>tls_random_source = dev:/dev/urandom |
117 |
>>-- cut ----------------------------------------- |
118 |
>> |
119 |
>>TLS is enabled, but smtpd_tls_auth_only will only permit |
120 |
>>authorization from clients who have issued (and successfully |
121 |
>>negotiated) the STARTTLS comment. |
122 |
>> |
123 |
>>Also, you can define what methods Postfix accepts by modifying the |
124 |
>>smtp_sasl_security_options directive. |
125 |
>> |
126 |
>>HTH, |
127 |
>> |
128 |
>>-- |
129 |
>> Jonathan Wright ~ mail at djnauk.co.uk |
130 |
>> ~ www.djnauk.co.uk |
131 |
>>-- |
132 |
>> 2.6.12-gentoo-r6-djnauk-b2 AMD Athlon(tm) XP 2100+ |
133 |
>> up 5 days, 3:02, 4 users, load average: 0.72, 0.97, 0.71 |
134 |
>>-- |
135 |
>> "I don't mind straight people as long as they act gay in |
136 |
>> public." |
137 |
>> |
138 |
>> ~ T-shirt worn by Dennis Rodman of the Chicago Bulls |
139 |
>>-- |
140 |
>>gentoo-security@g.o mailing list |
141 |
> |
142 |
> |
143 |
> Joe Strusz |
144 |
> |
145 |
> IT Assistant |
146 |
> Oxford Publishing, Inc. |
147 |
> 307 West Jackson Avenue |
148 |
> Oxford, MS 38655-2154 |
149 |
> 800-247-3881 |
150 |
> 662-236-5510x40 |
151 |
> jstrusz@×××××.com |
152 |
> http://www.nightclub.com |
153 |
> |
154 |
> |
155 |
> -- |
156 |
> gentoo-security@g.o mailing list |
157 |
> |
158 |
> |
159 |
|
160 |
|
161 |
-- |
162 |
------------------------------------------------------------------------ |
163 |
| Joerg Mertin : smurphy@××××××.org (Home)| |
164 |
| in Forchheim/Germany : smurphy@×××××.de (Alt1)| |
165 |
| Stardust's LiNUX System : | |
166 |
| Web: http://www.solsys.org | |
167 |
------------------------------------------------------------------------ |
168 |
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A |
169 |
|
170 |
|
171 |
|
172 |
-- |
173 |
gentoo-security@g.o mailing list |