1 |
I bet it has something to do with your sasl configuration. |
2 |
Had that back in time too... Check it is working. |
3 |
I have linked the saslauth to pam/ldap - so I can have local and remote |
4 |
users going in... Took me some time to figure this out. |
5 |
It's too long ago for me to remember details - but that's where I would |
6 |
look if I were you... |
7 |
Check your logs mail/sytem and auth for hints. |
8 |
|
9 |
Cheers |
10 |
|
11 |
Joerg |
12 |
|
13 |
<quote who="Joe Strusz"> |
14 |
> OK, well i disabled the smtpd_tl_auth_only line. |
15 |
> |
16 |
> And now whenever i try to connect via say outlook express on a client |
17 |
> machine... |
18 |
> |
19 |
> I check the box that says, "my outgoing server requires |
20 |
> authentication", and i do get the password prompt, however whichever |
21 |
> login/password i try to use it gets rejected, over and over and over |
22 |
> again... |
23 |
> |
24 |
> |
25 |
> any suggestions? |
26 |
> |
27 |
>>X-Original-To: jstrusz@×××××.com |
28 |
>>Delivered-To: jstrusz@×××××.com |
29 |
>>Delivered-To: <gentoo-security@l.g.o> |
30 |
>>Date: Wed, 5 Oct 2005 15:15:22 +0200 (CEST) |
31 |
>>Subject: Re: [gentoo-security] postfix and SASL |
32 |
>>From: "Joerg Mertin" <smurphy@××××××.org> |
33 |
>>To: gentoo-security@l.g.o |
34 |
>>User-Agent: SquirrelMail/1.4.4 |
35 |
>>List-Post: <mailto:gentoo-security@l.g.o> |
36 |
>>List-Help: <mailto:gentoo-security+help@g.o> |
37 |
>>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o> |
38 |
>>List-Subscribe: <mailto:gentoo-security+subscribe@g.o> |
39 |
>>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org> |
40 |
>>X-BeenThere: gentoo-security@g.o |
41 |
>>Reply-To: gentoo-security@l.g.o |
42 |
>>X-Virus-Scanned: ClamAV scanned @ Stargate |
43 |
>>X-MIME-Autoconverted: from quoted-printable to 8bit by |
44 |
>>robin.gentoo.org id j95D76GO003964 |
45 |
>>X-Virus-Scanned: This message was scanned for viruses by ClamAV. |
46 |
>>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5 |
47 |
>> tests=BAYES_00 |
48 |
>>X-Spam-Level: |
49 |
>> |
50 |
>>OK - as this seem to be quite difficutl for many - here my configuration |
51 |
>>of postfix - TLS and SASL parts only: |
52 |
>> |
53 |
>>## TLS |
54 |
>># Transport Layer Security |
55 |
>># |
56 |
>>smtpd_use_tls = yes |
57 |
>>smtpd_tls_auth_only = yes |
58 |
>>smtpd_tls_key_file = /etc/ssl/postfix/stargate.solsys.org.key |
59 |
>>smtpd_tls_cert_file = /etc/ssl/postfix/stargate.solsys.org.crt |
60 |
>>smtpd_tls_CAfile = /etc/ssl/postfix/stargate.solsys.org.pem |
61 |
>>smtpd_tls_loglevel = 3 |
62 |
>>smtpd_tls_received_header = yes |
63 |
>>smtpd_tls_session_cache_timeout = 3600s |
64 |
>>tls_random_source = dev:/dev/urandom |
65 |
>> |
66 |
>># SASL SUPPORT FOR CLIENTS |
67 |
>># |
68 |
>># The following options set parameters needed by Postfix to enable |
69 |
>># Cyrus-SASL support for authentication of mail clients. |
70 |
>># |
71 |
>>broken_sasl_auth_clients = yes |
72 |
>>smtpd_sasl_auth_enable = yes |
73 |
>>smtpd_sasl_security_options = noanonymous |
74 |
>>smtpd_data_restrictions = reject_unauth_pipelining |
75 |
>>smtpd_sasl_local_domain = |
76 |
>> |
77 |
>> |
78 |
>>This setup works here for 2 Years ... |
79 |
>>Cheers |
80 |
>> |
81 |
>>Joerg |
82 |
>> |
83 |
>> |
84 |
>><quote who="Joe Strusz"> |
85 |
>> > Whenever i telnet to port 25, and issue the AUTH PLAIN command i |
86 |
>> receive |
87 |
>> > this: |
88 |
>> > |
89 |
>> > 538: Encryption required for requested authentication mechanism. |
90 |
>> > |
91 |
>> > What does this mean? |
92 |
>> > |
93 |
>> > I could really use some help on this... its been bugging me for weeks |
94 |
>> now. |
95 |
>> > |
96 |
>> > Also, I do have smtpd_tls_auth_only = yes line |
97 |
>> > |
98 |
>> > |
99 |
>> > Please help |
100 |
>> > |
101 |
>> > blargh. |
102 |
>> > |
103 |
>> > Your fellow befumbled gentoo user. |
104 |
>> > |
105 |
>> > |
106 |
>> > |
107 |
>> >>X-Original-To: jstrusz@×××××.com |
108 |
>> >>Delivered-To: jstrusz@×××××.com |
109 |
>> >>Delivered-To: <gentoo-security@l.g.o> |
110 |
>> >>Date: Wed, 05 Oct 2005 12:36:01 +0100 |
111 |
>> >>From: Jonathan Wright <mail@×××××××××.uk> |
112 |
>> >>User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050822) |
113 |
>> >>X-Accept-Language: en-us, en |
114 |
>> >>List-Post: <mailto:gentoo-security@l.g.o> |
115 |
>> >>List-Help: <mailto:gentoo-security+help@g.o> |
116 |
>> >>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o> |
117 |
>> >>List-Subscribe: <mailto:gentoo-security+subscribe@g.o> |
118 |
>> >>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org> |
119 |
>> >>X-BeenThere: gentoo-security@g.o |
120 |
>> >>Reply-To: gentoo-security@l.g.o |
121 |
>> >>To: gentoo-security@l.g.o |
122 |
>> >>Subject: Re: [gentoo-security] postfix and SASL |
123 |
>> >>X-Virus-Scanned: This message was scanned for viruses by ClamAV. |
124 |
>> >>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5 |
125 |
>> >> tests=BAYES_00 |
126 |
>> >>X-Spam-Level: |
127 |
>> >> |
128 |
>> >>Benjamin A'Lee wrote: |
129 |
>> >>>>Not sure but: why on port 25 and not on 465 ? |
130 |
>> >>>I don't think it actually matters which port; IIRC it just enables |
131 |
>> >>>STARTTLS by default on 465. |
132 |
>> >> |
133 |
>> >>Port 465 is for SSL (i.e. secure communication before any |
134 |
>> >>application data is transferred) and Port 25 accepts TLS (where the |
135 |
>> >>data is secured once both parties accept, however, application data |
136 |
>> >>transfer has occurred). |
137 |
>> >> |
138 |
>> >>Anyway, with telnet you can't talk on port 465 :) |
139 |
>> >> |
140 |
>> >> > I have confirmed postfix is indeed compiled with SASL support. And |
141 |
>> i |
142 |
>> >> > have TLS working great. However when i telnet to port 25 and issue |
143 |
>> >> the |
144 |
>> >> > ehlo command, i do receive the starttls etc... yet no AUTH PLAIN |
145 |
>> >> > lines... |
146 |
>> >> |
147 |
>> >>Depending on the configuration, AUTH PLAIN can either be disabled, |
148 |
>> >>or more likely, it's only send should STARTTLS be issued. I have the |
149 |
>> >>following lines in my main.cf: |
150 |
>> >> |
151 |
>> >>-- cut ----------------------------------------- |
152 |
>> >># SMTPD SERVER CONTROLS |
153 |
>> >>smtpd_sasl_auth_enable = yes |
154 |
>> >>smtpd_sasl_security_options = noanonymous, noplaintext |
155 |
>> >>broken_sasl_auth_clients = yes |
156 |
>> >>smtpd_sasl_local_domain = |
157 |
>> >>smtpd_recipient_restrictions = permit_sasl_authenticated, |
158 |
>> >>permit_mynetworks, reject_unauth_destination |
159 |
>> >> |
160 |
>> >>smtpd_use_tls = yes |
161 |
>> >>smtpd_tls_auth_only = yes |
162 |
>> >>smtpd_tls_key_file = /etc/postfix/cacert/kenny.key |
163 |
>> >>smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem |
164 |
>> >>smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem |
165 |
>> >>smtpd_tls_loglevel = 1 |
166 |
>> >>smtpd_tls_received_header = yes |
167 |
>> >>smtpd_tls_session_cache_timeout = 3600s |
168 |
>> >>tls_random_source = dev:/dev/urandom |
169 |
>> >>-- cut ----------------------------------------- |
170 |
>> >> |
171 |
>> >>TLS is enabled, but smtpd_tls_auth_only will only permit |
172 |
>> >>authorization from clients who have issued (and successfully |
173 |
>> >>negotiated) the STARTTLS comment. |
174 |
>> >> |
175 |
>> >>Also, you can define what methods Postfix accepts by modifying the |
176 |
>> >>smtp_sasl_security_options directive. |
177 |
>> >> |
178 |
>> >>HTH, |
179 |
>> >> |
180 |
>> >>-- |
181 |
>> >> Jonathan Wright ~ mail at djnauk.co.uk |
182 |
>> >> ~ www.djnauk.co.uk |
183 |
>> >>-- |
184 |
>> >> 2.6.12-gentoo-r6-djnauk-b2 AMD Athlon(tm) XP 2100+ |
185 |
>> >> up 5 days, 3:02, 4 users, load average: 0.72, 0.97, 0.71 |
186 |
>> >>-- |
187 |
>> >> "I don't mind straight people as long as they act gay in |
188 |
>> >> public." |
189 |
>> >> |
190 |
>> >> ~ T-shirt worn by Dennis Rodman of the Chicago Bulls |
191 |
>> >>-- |
192 |
>> >>gentoo-security@g.o mailing list |
193 |
>> > |
194 |
>> > |
195 |
>> > Joe Strusz |
196 |
>> > |
197 |
>> > IT Assistant |
198 |
>> > Oxford Publishing, Inc. |
199 |
>> > 307 West Jackson Avenue |
200 |
>> > Oxford, MS 38655-2154 |
201 |
>> > 800-247-3881 |
202 |
>> > 662-236-5510x40 |
203 |
>> > jstrusz@×××××.com |
204 |
>> > http://www.nightclub.com |
205 |
>> > |
206 |
>> > |
207 |
>> > -- |
208 |
>> > gentoo-security@g.o mailing list |
209 |
>> > |
210 |
>> > |
211 |
>> |
212 |
>> |
213 |
>>-- |
214 |
>>------------------------------------------------------------------------ |
215 |
>>| Joerg Mertin : smurphy@××××××.org (Home)| |
216 |
>>| in Forchheim/Germany : smurphy@×××××.de (Alt1)| |
217 |
>>| Stardust's LiNUX System : | |
218 |
>>| Web: http://www.solsys.org | |
219 |
>>------------------------------------------------------------------------ |
220 |
>>PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A |
221 |
>> |
222 |
>> |
223 |
>> |
224 |
>>-- |
225 |
>>gentoo-security@g.o mailing list |
226 |
> |
227 |
> |
228 |
> Joe Strusz |
229 |
> |
230 |
> IT Assistant |
231 |
> Oxford Publishing, Inc. |
232 |
> 307 West Jackson Avenue |
233 |
> Oxford, MS 38655-2154 |
234 |
> 800-247-3881 |
235 |
> 662-236-5510x40 |
236 |
> jstrusz@×××××.com |
237 |
> http://www.nightclub.com |
238 |
> |
239 |
> |
240 |
> -- |
241 |
> gentoo-security@g.o mailing list |
242 |
> |
243 |
> |
244 |
|
245 |
|
246 |
-- |
247 |
------------------------------------------------------------------------ |
248 |
| Joerg Mertin : smurphy@××××××.org (Home)| |
249 |
| in Forchheim/Germany : smurphy@×××××.de (Alt1)| |
250 |
| Stardust's LiNUX System : | |
251 |
| Web: http://www.solsys.org | |
252 |
------------------------------------------------------------------------ |
253 |
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A |
254 |
|
255 |
|
256 |
|
257 |
-- |
258 |
gentoo-security@g.o mailing list |