Fwd: Re: [gentoo-security] postfix and SASL - gentoo-security

From:	Joe Strusz <jstrusz@×××××.com>
To:	gentoo-security@l.g.o
Subject:	Fwd: Re: [gentoo-security] postfix and SASL
Date:	Wed, 05 Oct 2005 13:31:14
Message-Id:	`6.2.3.4.0.20051005082134.01cb6cf8@op.oxpub.com`

1

OK, well i disabled the smtpd_tl_auth_only line.

2

3

And now whenever i try to connect via say outlook express on a client 

4

machine...

5

6

I check the box that says, "my outgoing server requires 

7

authentication", and i do get the password prompt, however whichever 

8

login/password i try to use it gets rejected, over and over and over again...

9

10

11

any suggestions?

12

13

>X-Original-To: jstrusz@×××××.com

14

>Delivered-To: jstrusz@×××××.com

15

>Delivered-To: <gentoo-security@l.g.o>

16

>Date: Wed, 5 Oct 2005 15:15:22 +0200 (CEST)

17

>Subject: Re: [gentoo-security] postfix and SASL

18

>From: "Joerg Mertin" <smurphy@××××××.org>

19

>To: gentoo-security@l.g.o

20

>User-Agent: SquirrelMail/1.4.4

21

>List-Post: <mailto:gentoo-security@l.g.o>

22

>List-Help: <mailto:gentoo-security+help@g.o>

23

>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o>

24

>List-Subscribe: <mailto:gentoo-security+subscribe@g.o>

25

>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>

26

>X-BeenThere: gentoo-security@g.o

27

>Reply-To: gentoo-security@l.g.o

28

>X-Virus-Scanned: ClamAV scanned @ Stargate

29

>X-MIME-Autoconverted: from quoted-printable to 8bit by

30

>robin.gentoo.org id j95D76GO003964

31

>X-Virus-Scanned: This message was scanned for viruses by ClamAV.

32

>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5 tests=BAYES_00

33

>X-Spam-Level:

34

>

35

>OK - as this seem to be quite difficutl for many - here my configuration

36

>of postfix - TLS and SASL parts only:

37

>

38

>## TLS

39

>#  Transport Layer Security

40

>#

41

>smtpd_use_tls = yes

42

>smtpd_tls_auth_only = yes

43

>smtpd_tls_key_file = /etc/ssl/postfix/stargate.solsys.org.key

44

>smtpd_tls_cert_file = /etc/ssl/postfix/stargate.solsys.org.crt

45

>smtpd_tls_CAfile = /etc/ssl/postfix/stargate.solsys.org.pem

46

>smtpd_tls_loglevel = 3

47

>smtpd_tls_received_header = yes

48

>smtpd_tls_session_cache_timeout = 3600s

49

>tls_random_source = dev:/dev/urandom

50

>

51

># SASL SUPPORT FOR CLIENTS

52

>#

53

># The following options set parameters needed by Postfix to enable

54

># Cyrus-SASL support for authentication of mail clients.

55

>#

56

>broken_sasl_auth_clients = yes

57

>smtpd_sasl_auth_enable = yes

58

>smtpd_sasl_security_options = noanonymous

59

>smtpd_data_restrictions = reject_unauth_pipelining

60

>smtpd_sasl_local_domain =

61

>

62

>

63

>This setup works here for 2 Years ...

64

>Cheers

65

>

66

>Joerg

67

>

68

>

69

><quote who="Joe Strusz">

70

> > Whenever i telnet to port 25, and issue the AUTH PLAIN command i receive

71

> > this:

72

> >

73

> > 538: Encryption required for requested authentication mechanism.

74

> >

75

> > What does this mean?

76

> >

77

> > I could really use some help on this... its been bugging me for weeks now.

78

> >

79

> > Also, I do have smtpd_tls_auth_only = yes line

80

> >

81

> >

82

> > Please help

83

> >

84

> > blargh.

85

> >

86

> > Your fellow befumbled gentoo user.

87

> >

88

> >

89

> >

90

> >>X-Original-To: jstrusz@×××××.com

91

> >>Delivered-To: jstrusz@×××××.com

92

> >>Delivered-To: <gentoo-security@l.g.o>

93

> >>Date: Wed, 05 Oct 2005 12:36:01 +0100

94

> >>From: Jonathan Wright <mail@×××××××××.uk>

95

> >>User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050822)

96

> >>X-Accept-Language: en-us, en

97

> >>List-Post: <mailto:gentoo-security@l.g.o>

98

> >>List-Help: <mailto:gentoo-security+help@g.o>

99

> >>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o>

100

> >>List-Subscribe: <mailto:gentoo-security+subscribe@g.o>

101

> >>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>

102

> >>X-BeenThere: gentoo-security@g.o

103

> >>Reply-To: gentoo-security@l.g.o

104

> >>To: gentoo-security@l.g.o

105

> >>Subject: Re: [gentoo-security] postfix and SASL

106

> >>X-Virus-Scanned: This message was scanned for viruses by ClamAV.

107

> >>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5

108

> >> tests=BAYES_00

109

> >>X-Spam-Level:

110

> >>

111

> >>Benjamin A'Lee wrote:

112

> >>>>Not sure but: why on port 25 and not on 465 ?

113

> >>>I don't think it actually matters which port; IIRC it just enables

114

> >>>STARTTLS by default on 465.

115

> >>

116

> >>Port 465 is for SSL (i.e. secure communication before any

117

> >>application data is transferred) and Port 25 accepts TLS (where the

118

> >>data is secured once both parties accept, however, application data

119

> >>transfer has occurred).

120

> >>

121

> >>Anyway, with telnet you can't talk on port 465 :)

122

> >>

123

> >> > I have confirmed postfix is indeed compiled with SASL support.  And i

124

> >> > have TLS working great.  However when i telnet to port 25 and issue

125

> >> the

126

> >> > ehlo command, i do receive the starttls etc... yet no AUTH PLAIN

127

> >> > lines...

128

> >>

129

> >>Depending on the configuration, AUTH PLAIN can either be disabled,

130

> >>or more likely, it's only send should STARTTLS be issued. I have the

131

> >>following lines in my main.cf:

132

> >>

133

> >>-- cut -----------------------------------------

134

> >># SMTPD SERVER CONTROLS

135

> >>smtpd_sasl_auth_enable = yes

136

> >>smtpd_sasl_security_options = noanonymous, noplaintext

137

> >>broken_sasl_auth_clients = yes

138

> >>smtpd_sasl_local_domain =

139

> >>smtpd_recipient_restrictions = permit_sasl_authenticated,

140

> >>permit_mynetworks, reject_unauth_destination

141

> >>

142

> >>smtpd_use_tls = yes

143

> >>smtpd_tls_auth_only = yes

144

> >>smtpd_tls_key_file = /etc/postfix/cacert/kenny.key

145

> >>smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem

146

> >>smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem

147

> >>smtpd_tls_loglevel = 1

148

> >>smtpd_tls_received_header = yes

149

> >>smtpd_tls_session_cache_timeout = 3600s

150

> >>tls_random_source = dev:/dev/urandom

151

> >>-- cut -----------------------------------------

152

> >>

153

> >>TLS is enabled, but smtpd_tls_auth_only will only permit

154

> >>authorization from clients who have issued (and successfully

155

> >>negotiated) the STARTTLS comment.

156

> >>

157

> >>Also, you can define what methods Postfix accepts by modifying the

158

> >>smtp_sasl_security_options directive.

159

> >>

160

> >>HTH,

161

> >>

162

> >>--

163

> >>  Jonathan Wright                           ~ mail at djnauk.co.uk

164

> >>                                            ~ www.djnauk.co.uk

165

> >>--

166

> >>  2.6.12-gentoo-r6-djnauk-b2 AMD Athlon(tm) XP 2100+

167

> >>  up 5 days,  3:02,  4 users,  load average: 0.72, 0.97, 0.71

168

> >>--

169

> >>  "I don't mind straight  people  as  long  as  they  act  gay  in

170

> >>  public."

171

> >>

172

> >>              ~ T-shirt worn by Dennis Rodman of the Chicago Bulls

173

> >>--

174

> >>gentoo-security@g.o mailing list

175

> >

176

> >

177

> > Joe Strusz

178

> >

179

> > IT Assistant

180

> > Oxford Publishing, Inc.

181

> > 307 West Jackson Avenue

182

> > Oxford, MS 38655-2154

183

> > 800-247-3881

184

> > 662-236-5510x40

185

> > jstrusz@×××××.com

186

> > http://www.nightclub.com

187

> >

188

> >

189

> > --

190

> > gentoo-security@g.o mailing list

191

> >

192

> >

193

>

194

>

195

>--

196

>------------------------------------------------------------------------

197

>| Joerg Mertin              :  smurphy@××××××.org                (Home)|

198

>| in Forchheim/Germany      :  smurphy@×××××.de                  (Alt1)|

199

>| Stardust's LiNUX System   :                                          |

200

>| Web: http://www.solsys.org                                           |

201

>------------------------------------------------------------------------

202

>PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A

203

>

204

>

205

>

206

>--

207

>gentoo-security@g.o mailing list

208

209

210

Joe Strusz

211

212

IT Assistant

213

Oxford Publishing, Inc.

214

307 West Jackson Avenue

215

Oxford, MS 38655-2154

216

800-247-3881

217

662-236-5510x40

218

jstrusz@×××××.com

219

http://www.nightclub.com

220

221

222

--

223

gentoo-security@g.o mailing list

Subject	Author
Re: Fwd: Re: [gentoo-security] postfix and SASL	Joerg Mertin <smurphy@××××××.org>
Re: Fwd: Re: [gentoo-security] postfix and SASL	Jonathan Wright <mail@×××××××××.uk>

Gentoo Archives: gentoo-security

Replies

1	OK, well i disabled the smtpd_tl_auth_only line.
2
3	And now whenever i try to connect via say outlook express on a client
4	machine...
5
6	I check the box that says, "my outgoing server requires
7	authentication", and i do get the password prompt, however whichever
8	login/password i try to use it gets rejected, over and over and over again...
9
10
11	any suggestions?
12
13	>X-Original-To: jstrusz@×××××.com
14	>Delivered-To: jstrusz@×××××.com
15	>Delivered-To: <gentoo-security@l.g.o>
16	>Date: Wed, 5 Oct 2005 15:15:22 +0200 (CEST)
17	>Subject: Re: [gentoo-security] postfix and SASL
18	>From: "Joerg Mertin" <smurphy@××××××.org>
19	>To: gentoo-security@l.g.o
20	>User-Agent: SquirrelMail/1.4.4
21	>List-Post: <mailto:gentoo-security@l.g.o>
22	>List-Help: <mailto:gentoo-security+help@g.o>
23	>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o>
24	>List-Subscribe: <mailto:gentoo-security+subscribe@g.o>
25	>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
26	>X-BeenThere: gentoo-security@g.o
27	>Reply-To: gentoo-security@l.g.o
28	>X-Virus-Scanned: ClamAV scanned @ Stargate
29	>X-MIME-Autoconverted: from quoted-printable to 8bit by
30	>robin.gentoo.org id j95D76GO003964
31	>X-Virus-Scanned: This message was scanned for viruses by ClamAV.
32	>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5 tests=BAYES_00
33	>X-Spam-Level:
34	>
35	>OK - as this seem to be quite difficutl for many - here my configuration
36	>of postfix - TLS and SASL parts only:
37	>
38	>## TLS
39	># Transport Layer Security
40	>#
41	>smtpd_use_tls = yes
42	>smtpd_tls_auth_only = yes
43	>smtpd_tls_key_file = /etc/ssl/postfix/stargate.solsys.org.key
44	>smtpd_tls_cert_file = /etc/ssl/postfix/stargate.solsys.org.crt
45	>smtpd_tls_CAfile = /etc/ssl/postfix/stargate.solsys.org.pem
46	>smtpd_tls_loglevel = 3
47	>smtpd_tls_received_header = yes
48	>smtpd_tls_session_cache_timeout = 3600s
49	>tls_random_source = dev:/dev/urandom
50	>
51	># SASL SUPPORT FOR CLIENTS
52	>#
53	># The following options set parameters needed by Postfix to enable
54	># Cyrus-SASL support for authentication of mail clients.
55	>#
56	>broken_sasl_auth_clients = yes
57	>smtpd_sasl_auth_enable = yes
58	>smtpd_sasl_security_options = noanonymous
59	>smtpd_data_restrictions = reject_unauth_pipelining
60	>smtpd_sasl_local_domain =
61	>
62	>
63	>This setup works here for 2 Years ...
64	>Cheers
65	>
66	>Joerg
67	>
68	>
69	><quote who="Joe Strusz">
70	> > Whenever i telnet to port 25, and issue the AUTH PLAIN command i receive
71	> > this:
72	> >
73	> > 538: Encryption required for requested authentication mechanism.
74	> >
75	> > What does this mean?
76	> >
77	> > I could really use some help on this... its been bugging me for weeks now.
78	> >
79	> > Also, I do have smtpd_tls_auth_only = yes line
80	> >
81	> >
82	> > Please help
83	> >
84	> > blargh.
85	> >
86	> > Your fellow befumbled gentoo user.
87	> >
88	> >
89	> >
90	> >>X-Original-To: jstrusz@×××××.com
91	> >>Delivered-To: jstrusz@×××××.com
92	> >>Delivered-To: <gentoo-security@l.g.o>
93	> >>Date: Wed, 05 Oct 2005 12:36:01 +0100
94	> >>From: Jonathan Wright <mail@×××××××××.uk>
95	> >>User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050822)
96	> >>X-Accept-Language: en-us, en
97	> >>List-Post: <mailto:gentoo-security@l.g.o>
98	> >>List-Help: <mailto:gentoo-security+help@g.o>
99	> >>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o>
100	> >>List-Subscribe: <mailto:gentoo-security+subscribe@g.o>
101	> >>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
102	> >>X-BeenThere: gentoo-security@g.o
103	> >>Reply-To: gentoo-security@l.g.o
104	> >>To: gentoo-security@l.g.o
105	> >>Subject: Re: [gentoo-security] postfix and SASL
106	> >>X-Virus-Scanned: This message was scanned for viruses by ClamAV.
107	> >>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5
108	> >> tests=BAYES_00
109	> >>X-Spam-Level:
110	> >>
111	> >>Benjamin A'Lee wrote:
112	> >>>>Not sure but: why on port 25 and not on 465 ?
113	> >>>I don't think it actually matters which port; IIRC it just enables
114	> >>>STARTTLS by default on 465.
115	> >>
116	> >>Port 465 is for SSL (i.e. secure communication before any
117	> >>application data is transferred) and Port 25 accepts TLS (where the
118	> >>data is secured once both parties accept, however, application data
119	> >>transfer has occurred).
120	> >>
121	> >>Anyway, with telnet you can't talk on port 465 :)
122	> >>
123	> >> > I have confirmed postfix is indeed compiled with SASL support. And i
124	> >> > have TLS working great. However when i telnet to port 25 and issue
125	> >> the
126	> >> > ehlo command, i do receive the starttls etc... yet no AUTH PLAIN
127	> >> > lines...
128	> >>
129	> >>Depending on the configuration, AUTH PLAIN can either be disabled,
130	> >>or more likely, it's only send should STARTTLS be issued. I have the
131	> >>following lines in my main.cf:
132	> >>
133	> >>-- cut -----------------------------------------
134	> >># SMTPD SERVER CONTROLS
135	> >>smtpd_sasl_auth_enable = yes
136	> >>smtpd_sasl_security_options = noanonymous, noplaintext
137	> >>broken_sasl_auth_clients = yes
138	> >>smtpd_sasl_local_domain =
139	> >>smtpd_recipient_restrictions = permit_sasl_authenticated,
140	> >>permit_mynetworks, reject_unauth_destination
141	> >>
142	> >>smtpd_use_tls = yes
143	> >>smtpd_tls_auth_only = yes
144	> >>smtpd_tls_key_file = /etc/postfix/cacert/kenny.key
145	> >>smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem
146	> >>smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem
147	> >>smtpd_tls_loglevel = 1
148	> >>smtpd_tls_received_header = yes
149	> >>smtpd_tls_session_cache_timeout = 3600s
150	> >>tls_random_source = dev:/dev/urandom
151	> >>-- cut -----------------------------------------
152	> >>
153	> >>TLS is enabled, but smtpd_tls_auth_only will only permit
154	> >>authorization from clients who have issued (and successfully
155	> >>negotiated) the STARTTLS comment.
156	> >>
157	> >>Also, you can define what methods Postfix accepts by modifying the
158	> >>smtp_sasl_security_options directive.
159	> >>
160	> >>HTH,
161	> >>
162	> >>--
163	> >> Jonathan Wright ~ mail at djnauk.co.uk
164	> >> ~ www.djnauk.co.uk
165	> >>--
166	> >> 2.6.12-gentoo-r6-djnauk-b2 AMD Athlon(tm) XP 2100+
167	> >> up 5 days, 3:02, 4 users, load average: 0.72, 0.97, 0.71
168	> >>--
169	> >> "I don't mind straight people as long as they act gay in
170	> >> public."
171	> >>
172	> >> ~ T-shirt worn by Dennis Rodman of the Chicago Bulls
173	> >>--
174	> >>gentoo-security@g.o mailing list
175	> >
176	> >
177	> > Joe Strusz
178	> >
179	> > IT Assistant
180	> > Oxford Publishing, Inc.
181	> > 307 West Jackson Avenue
182	> > Oxford, MS 38655-2154
183	> > 800-247-3881
184	> > 662-236-5510x40
185	> > jstrusz@×××××.com
186	> > http://www.nightclub.com
187	> >
188	> >
189	> > --
190	> > gentoo-security@g.o mailing list
191	> >
192	> >
193	>
194	>
195	>--
196	>------------------------------------------------------------------------
197	>\| Joerg Mertin : smurphy@××××××.org (Home)\|
198	>\| in Forchheim/Germany : smurphy@×××××.de (Alt1)\|
199	>\| Stardust's LiNUX System : \|
200	>\| Web: http://www.solsys.org \|
201	>------------------------------------------------------------------------
202	>PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A
203	>
204	>
205	>
206	>--
207	>gentoo-security@g.o mailing list
208
209
210	Joe Strusz
211
212	IT Assistant
213	Oxford Publishing, Inc.
214	307 West Jackson Avenue
215	Oxford, MS 38655-2154
216	800-247-3881
217	662-236-5510x40
218	jstrusz@×××××.com
219	http://www.nightclub.com
220
221
222	--
223	gentoo-security@g.o mailing list