Subject: Re: [gentoo-security] postfix and SASL
Date: Wed, 05 Oct 2005 11:43:56
Benjamin A'Lee wrote:
>>Not sure but: why on port 25 and not on 465 ? > > I don't think it actually matters which port; IIRC it just enables > STARTTLS by default on 465.
Port 465 is for SSL (i.e. secure communication before any application data is transferred) and Port 25 accepts TLS (where the data is secured once both parties accept, however, application data transfer has occurred). Anyway, with telnet you can't talk on port 465 :) > I have confirmed postfix is indeed compiled with SASL support. And i > have TLS working great. However when i telnet to port 25 and issue the > ehlo command, i do receive the starttls etc... yet no AUTH PLAIN > lines... Depending on the configuration, AUTH PLAIN can either be disabled, or more likely, it's only send should STARTTLS be issued. I have the following lines in my -- cut ----------------------------------------- # SMTPD SERVER CONTROLS smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous, noplaintext broken_sasl_auth_clients = yes smtpd_sasl_local_domain = smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/cacert/kenny.key smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom -- cut ----------------------------------------- TLS is enabled, but smtpd_tls_auth_only will only permit authorization from clients who have issued (and successfully negotiated) the STARTTLS comment. Also, you can define what methods Postfix accepts by modifying the smtp_sasl_security_options directive.