| 1 |
Benjamin A'Lee wrote: |
| 2 |
>>Not sure but: why on port 25 and not on 465 ? |
| 3 |
> |
| 4 |
> I don't think it actually matters which port; IIRC it just enables |
| 5 |
> STARTTLS by default on 465. |
| 6 |
|
| 7 |
Port 465 is for SSL (i.e. secure communication before any application |
| 8 |
data is transferred) and Port 25 accepts TLS (where the data is secured |
| 9 |
once both parties accept, however, application data transfer has occurred). |
| 10 |
|
| 11 |
Anyway, with telnet you can't talk on port 465 :) |
| 12 |
|
| 13 |
> I have confirmed postfix is indeed compiled with SASL support. And i |
| 14 |
> have TLS working great. However when i telnet to port 25 and issue the |
| 15 |
> ehlo command, i do receive the starttls etc... yet no AUTH PLAIN |
| 16 |
> lines... |
| 17 |
|
| 18 |
Depending on the configuration, AUTH PLAIN can either be disabled, or |
| 19 |
more likely, it's only send should STARTTLS be issued. I have the |
| 20 |
following lines in my main.cf: |
| 21 |
|
| 22 |
-- cut ----------------------------------------- |
| 23 |
# SMTPD SERVER CONTROLS |
| 24 |
smtpd_sasl_auth_enable = yes |
| 25 |
smtpd_sasl_security_options = noanonymous, noplaintext |
| 26 |
broken_sasl_auth_clients = yes |
| 27 |
smtpd_sasl_local_domain = |
| 28 |
smtpd_recipient_restrictions = permit_sasl_authenticated, |
| 29 |
permit_mynetworks, reject_unauth_destination |
| 30 |
|
| 31 |
smtpd_use_tls = yes |
| 32 |
smtpd_tls_auth_only = yes |
| 33 |
smtpd_tls_key_file = /etc/postfix/cacert/kenny.key |
| 34 |
smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem |
| 35 |
smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem |
| 36 |
smtpd_tls_loglevel = 1 |
| 37 |
smtpd_tls_received_header = yes |
| 38 |
smtpd_tls_session_cache_timeout = 3600s |
| 39 |
tls_random_source = dev:/dev/urandom |
| 40 |
-- cut ----------------------------------------- |
| 41 |
|
| 42 |
TLS is enabled, but smtpd_tls_auth_only will only permit authorization |
| 43 |
from clients who have issued (and successfully negotiated) the STARTTLS |
| 44 |
comment. |
| 45 |
|
| 46 |
Also, you can define what methods Postfix accepts by modifying the |
| 47 |
smtp_sasl_security_options directive. |
| 48 |
|
| 49 |
HTH, |
| 50 |
|
| 51 |
-- |
| 52 |
Jonathan Wright ~ mail at djnauk.co.uk |
| 53 |
~ www.djnauk.co.uk |
| 54 |
-- |
| 55 |
2.6.12-gentoo-r6-djnauk-b2 AMD Athlon(tm) XP 2100+ |
| 56 |
up 5 days, 3:02, 4 users, load average: 0.72, 0.97, 0.71 |
| 57 |
-- |
| 58 |
"I don't mind straight people as long as they act gay in |
| 59 |
public." |
| 60 |
|
| 61 |
~ T-shirt worn by Dennis Rodman of the Chicago Bulls |
| 62 |
-- |
| 63 |
gentoo-security@g.o mailing list |
Archives