Gentoo Archives: gentoo-security

From: Joe Strusz <jstrusz@×××××.com>
To: gentoo-security@l.g.o
Subject: Fwd: Re: [gentoo-security] postfix and SASL
Date: Wed, 05 Oct 2005 13:31:14
Message-Id: 6.2.3.4.0.20051005082134.01cb6cf8@op.oxpub.com
OK, well i disabled the smtpd_tl_auth_only line.

And now whenever i try to connect via say outlook express on a client 
machine...

I check the box that says, "my outgoing server requires 
authentication", and i do get the password prompt, however whichever 
login/password i try to use it gets rejected, over and over and over again...


any suggestions?

>X-Original-To: jstrusz@×××××.com >Delivered-To: jstrusz@×××××.com >Delivered-To: <gentoo-security@l.g.o> >Date: Wed, 5 Oct 2005 15:15:22 +0200 (CEST) >Subject: Re: [gentoo-security] postfix and SASL >From: "Joerg Mertin" <smurphy@××××××.org> >To: gentoo-security@l.g.o >User-Agent: SquirrelMail/1.4.4 >List-Post: <mailto:gentoo-security@l.g.o> >List-Help: <mailto:gentoo-security+help@g.o> >List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o> >List-Subscribe: <mailto:gentoo-security+subscribe@g.o> >List-Id: Gentoo Linux mail <gentoo-security.gentoo.org> >X-BeenThere: gentoo-security@g.o >Reply-To: gentoo-security@l.g.o >X-Virus-Scanned: ClamAV scanned @ Stargate >X-MIME-Autoconverted: from quoted-printable to 8bit by >robin.gentoo.org id j95D76GO003964 >X-Virus-Scanned: This message was scanned for viruses by ClamAV. >X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5 tests=BAYES_00 >X-Spam-Level: > >OK - as this seem to be quite difficutl for many - here my configuration >of postfix - TLS and SASL parts only: > >## TLS ># Transport Layer Security ># >smtpd_use_tls = yes >smtpd_tls_auth_only = yes >smtpd_tls_key_file = /etc/ssl/postfix/stargate.solsys.org.key >smtpd_tls_cert_file = /etc/ssl/postfix/stargate.solsys.org.crt >smtpd_tls_CAfile = /etc/ssl/postfix/stargate.solsys.org.pem >smtpd_tls_loglevel = 3 >smtpd_tls_received_header = yes >smtpd_tls_session_cache_timeout = 3600s >tls_random_source = dev:/dev/urandom > ># SASL SUPPORT FOR CLIENTS ># ># The following options set parameters needed by Postfix to enable ># Cyrus-SASL support for authentication of mail clients. ># >broken_sasl_auth_clients = yes >smtpd_sasl_auth_enable = yes >smtpd_sasl_security_options = noanonymous >smtpd_data_restrictions = reject_unauth_pipelining >smtpd_sasl_local_domain = > > >This setup works here for 2 Years ... >Cheers > >Joerg > > ><quote who="Joe Strusz"> > > Whenever i telnet to port 25, and issue the AUTH PLAIN command i receive > > this: > > > > 538: Encryption required for requested authentication mechanism. > > > > What does this mean? > > > > I could really use some help on this... its been bugging me for weeks now. > > > > Also, I do have smtpd_tls_auth_only = yes line > > > > > > Please help > > > > blargh. > > > > Your fellow befumbled gentoo user. > > > > > > > >>X-Original-To: jstrusz@×××××.com > >>Delivered-To: jstrusz@×××××.com > >>Delivered-To: <gentoo-security@l.g.o> > >>Date: Wed, 05 Oct 2005 12:36:01 +0100 > >>From: Jonathan Wright <mail@×××××××××.uk> > >>User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050822) > >>X-Accept-Language: en-us, en > >>List-Post: <mailto:gentoo-security@l.g.o> > >>List-Help: <mailto:gentoo-security+help@g.o> > >>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o> > >>List-Subscribe: <mailto:gentoo-security+subscribe@g.o> > >>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org> > >>X-BeenThere: gentoo-security@g.o > >>Reply-To: gentoo-security@l.g.o > >>To: gentoo-security@l.g.o > >>Subject: Re: [gentoo-security] postfix and SASL > >>X-Virus-Scanned: This message was scanned for viruses by ClamAV. > >>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5 > >> tests=BAYES_00 > >>X-Spam-Level: > >> > >>Benjamin A'Lee wrote: > >>>>Not sure but: why on port 25 and not on 465 ? > >>>I don't think it actually matters which port; IIRC it just enables > >>>STARTTLS by default on 465. > >> > >>Port 465 is for SSL (i.e. secure communication before any > >>application data is transferred) and Port 25 accepts TLS (where the > >>data is secured once both parties accept, however, application data > >>transfer has occurred). > >> > >>Anyway, with telnet you can't talk on port 465 :) > >> > >> > I have confirmed postfix is indeed compiled with SASL support. And i > >> > have TLS working great. However when i telnet to port 25 and issue > >> the > >> > ehlo command, i do receive the starttls etc... yet no AUTH PLAIN > >> > lines... > >> > >>Depending on the configuration, AUTH PLAIN can either be disabled, > >>or more likely, it's only send should STARTTLS be issued. I have the > >>following lines in my main.cf: > >> > >>-- cut ----------------------------------------- > >># SMTPD SERVER CONTROLS > >>smtpd_sasl_auth_enable = yes > >>smtpd_sasl_security_options = noanonymous, noplaintext > >>broken_sasl_auth_clients = yes > >>smtpd_sasl_local_domain = > >>smtpd_recipient_restrictions = permit_sasl_authenticated, > >>permit_mynetworks, reject_unauth_destination > >> > >>smtpd_use_tls = yes > >>smtpd_tls_auth_only = yes > >>smtpd_tls_key_file = /etc/postfix/cacert/kenny.key > >>smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem > >>smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem > >>smtpd_tls_loglevel = 1 > >>smtpd_tls_received_header = yes > >>smtpd_tls_session_cache_timeout = 3600s > >>tls_random_source = dev:/dev/urandom > >>-- cut ----------------------------------------- > >> > >>TLS is enabled, but smtpd_tls_auth_only will only permit > >>authorization from clients who have issued (and successfully > >>negotiated) the STARTTLS comment. > >> > >>Also, you can define what methods Postfix accepts by modifying the > >>smtp_sasl_security_options directive. > >> > >>HTH, > >> > >>-- > >> Jonathan Wright ~ mail at djnauk.co.uk > >> ~ www.djnauk.co.uk > >>-- > >> 2.6.12-gentoo-r6-djnauk-b2 AMD Athlon(tm) XP 2100+ > >> up 5 days, 3:02, 4 users, load average: 0.72, 0.97, 0.71 > >>-- > >> "I don't mind straight people as long as they act gay in > >> public." > >> > >> ~ T-shirt worn by Dennis Rodman of the Chicago Bulls > >>-- > >>gentoo-security@g.o mailing list > > > > > > Joe Strusz > > > > IT Assistant > > Oxford Publishing, Inc. > > 307 West Jackson Avenue > > Oxford, MS 38655-2154 > > 800-247-3881 > > 662-236-5510x40 > > jstrusz@×××××.com > > http://www.nightclub.com > > > > > > -- > > gentoo-security@g.o mailing list > > > > > > >-- >------------------------------------------------------------------------ >| Joerg Mertin : smurphy@××××××.org (Home)| >| in Forchheim/Germany : smurphy@×××××.de (Alt1)| >| Stardust's LiNUX System : | >| Web: http://www.solsys.org | >------------------------------------------------------------------------ >PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A > > > >-- >gentoo-security@g.o mailing list
Joe Strusz IT Assistant Oxford Publishing, Inc. 307 West Jackson Avenue Oxford, MS 38655-2154 800-247-3881 662-236-5510x40 jstrusz@×××××.com http://www.nightclub.com -- gentoo-security@g.o mailing list

Replies

Subject Author
Re: Fwd: Re: [gentoo-security] postfix and SASL Joerg Mertin <smurphy@××××××.org>
Re: Fwd: Re: [gentoo-security] postfix and SASL Jonathan Wright <mail@×××××××××.uk>