Re: [gentoo-security] postfix and SASL - gentoo-security

From:	Joerg Mertin <smurphy@××××××.org>
To:	gentoo-security@l.g.o
Subject:	Re: [gentoo-security] postfix and SASL
Date:	Wed, 05 Oct 2005 13:26:13
Message-Id:	`31588.80.146.243.75.1128518122.squirrel@stargate.solsys.org`
In Reply to:	Re: [gentoo-security] postfix and SASL by Joe Strusz

1

OK - as this seem to be quite difficutl for many - here my configuration

2

of postfix - TLS and SASL parts only:

3

4

## TLS

5

#  Transport Layer Security

6

#

7

smtpd_use_tls = yes

8

smtpd_tls_auth_only = yes

9

smtpd_tls_key_file = /etc/ssl/postfix/stargate.solsys.org.key

10

smtpd_tls_cert_file = /etc/ssl/postfix/stargate.solsys.org.crt

11

smtpd_tls_CAfile = /etc/ssl/postfix/stargate.solsys.org.pem

12

smtpd_tls_loglevel = 3

13

smtpd_tls_received_header = yes

14

smtpd_tls_session_cache_timeout = 3600s

15

tls_random_source = dev:/dev/urandom

16

17

# SASL SUPPORT FOR CLIENTS

18

#

19

# The following options set parameters needed by Postfix to enable

20

# Cyrus-SASL support for authentication of mail clients.

21

#

22

broken_sasl_auth_clients = yes

23

smtpd_sasl_auth_enable = yes

24

smtpd_sasl_security_options = noanonymous

25

smtpd_data_restrictions = reject_unauth_pipelining

26

smtpd_sasl_local_domain =

27

28

29

This setup works here for 2 Years ...

30

Cheers

31

32

Joerg

33

34

35

<quote who="Joe Strusz">

36

> Whenever i telnet to port 25, and issue the AUTH PLAIN command i receive

37

> this:

38

>

39

> 538: Encryption required for requested authentication mechanism.

40

>

41

> What does this mean?

42

>

43

> I could really use some help on this... its been bugging me for weeks now.

44

>

45

> Also, I do have smtpd_tls_auth_only = yes line

46

>

47

>

48

> Please help

49

>

50

> blargh.

51

>

52

> Your fellow befumbled gentoo user.

53

>

54

>

55

>

56

>>X-Original-To: jstrusz@×××××.com

57

>>Delivered-To: jstrusz@×××××.com

58

>>Delivered-To: <gentoo-security@l.g.o>

59

>>Date: Wed, 05 Oct 2005 12:36:01 +0100

60

>>From: Jonathan Wright <mail@×××××××××.uk>

61

>>User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050822)

62

>>X-Accept-Language: en-us, en

63

>>List-Post: <mailto:gentoo-security@l.g.o>

64

>>List-Help: <mailto:gentoo-security+help@g.o>

65

>>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o>

66

>>List-Subscribe: <mailto:gentoo-security+subscribe@g.o>

67

>>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>

68

>>X-BeenThere: gentoo-security@g.o

69

>>Reply-To: gentoo-security@l.g.o

70

>>To: gentoo-security@l.g.o

71

>>Subject: Re: [gentoo-security] postfix and SASL

72

>>X-Virus-Scanned: This message was scanned for viruses by ClamAV.

73

>>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5

74

>> tests=BAYES_00

75

>>X-Spam-Level:

76

>>

77

>>Benjamin A'Lee wrote:

78

>>>>Not sure but: why on port 25 and not on 465 ?

79

>>>I don't think it actually matters which port; IIRC it just enables

80

>>>STARTTLS by default on 465.

81

>>

82

>>Port 465 is for SSL (i.e. secure communication before any

83

>>application data is transferred) and Port 25 accepts TLS (where the

84

>>data is secured once both parties accept, however, application data

85

>>transfer has occurred).

86

>>

87

>>Anyway, with telnet you can't talk on port 465 :)

88

>>

89

>> > I have confirmed postfix is indeed compiled with SASL support.  And i

90

>> > have TLS working great.  However when i telnet to port 25 and issue

91

>> the

92

>> > ehlo command, i do receive the starttls etc... yet no AUTH PLAIN

93

>> > lines...

94

>>

95

>>Depending on the configuration, AUTH PLAIN can either be disabled,

96

>>or more likely, it's only send should STARTTLS be issued. I have the

97

>>following lines in my main.cf:

98

>>

99

>>-- cut -----------------------------------------

100

>># SMTPD SERVER CONTROLS

101

>>smtpd_sasl_auth_enable = yes

102

>>smtpd_sasl_security_options = noanonymous, noplaintext

103

>>broken_sasl_auth_clients = yes

104

>>smtpd_sasl_local_domain =

105

>>smtpd_recipient_restrictions = permit_sasl_authenticated,

106

>>permit_mynetworks, reject_unauth_destination

107

>>

108

>>smtpd_use_tls = yes

109

>>smtpd_tls_auth_only = yes

110

>>smtpd_tls_key_file = /etc/postfix/cacert/kenny.key

111

>>smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem

112

>>smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem

113

>>smtpd_tls_loglevel = 1

114

>>smtpd_tls_received_header = yes

115

>>smtpd_tls_session_cache_timeout = 3600s

116

>>tls_random_source = dev:/dev/urandom

117

>>-- cut -----------------------------------------

118

>>

119

>>TLS is enabled, but smtpd_tls_auth_only will only permit

120

>>authorization from clients who have issued (and successfully

121

>>negotiated) the STARTTLS comment.

122

>>

123

>>Also, you can define what methods Postfix accepts by modifying the

124

>>smtp_sasl_security_options directive.

125

>>

126

>>HTH,

127

>>

128

>>--

129

>>  Jonathan Wright                           ~ mail at djnauk.co.uk

130

>>                                            ~ www.djnauk.co.uk

131

>>--

132

>>  2.6.12-gentoo-r6-djnauk-b2 AMD Athlon(tm) XP 2100+

133

>>  up 5 days,  3:02,  4 users,  load average: 0.72, 0.97, 0.71

134

>>--

135

>>  "I don't mind straight  people  as  long  as  they  act  gay  in

136

>>  public."

137

>>

138

>>              ~ T-shirt worn by Dennis Rodman of the Chicago Bulls

139

>>--

140

>>gentoo-security@g.o mailing list

141

>

142

>

143

> Joe Strusz

144

>

145

> IT Assistant

146

> Oxford Publishing, Inc.

147

> 307 West Jackson Avenue

148

> Oxford, MS 38655-2154

149

> 800-247-3881

150

> 662-236-5510x40

151

> jstrusz@×××××.com

152

> http://www.nightclub.com

153

>

154

>

155

> --

156

> gentoo-security@g.o mailing list

157

>

158

>

159

160

161

--

162

------------------------------------------------------------------------

163

| Joerg Mertin              :  smurphy@××××××.org                (Home)|

164

| in Forchheim/Germany      :  smurphy@×××××.de                  (Alt1)|

165

| Stardust's LiNUX System   :                                          |

166

| Web: http://www.solsys.org                                           |

167

------------------------------------------------------------------------

168

PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A

--

173

gentoo-security@g.o mailing list

1	OK - as this seem to be quite difficutl for many - here my configuration
2	of postfix - TLS and SASL parts only:
3
4	## TLS
5	# Transport Layer Security
6	#
7	smtpd_use_tls = yes
8	smtpd_tls_auth_only = yes
9	smtpd_tls_key_file = /etc/ssl/postfix/stargate.solsys.org.key
10	smtpd_tls_cert_file = /etc/ssl/postfix/stargate.solsys.org.crt
11	smtpd_tls_CAfile = /etc/ssl/postfix/stargate.solsys.org.pem
12	smtpd_tls_loglevel = 3
13	smtpd_tls_received_header = yes
14	smtpd_tls_session_cache_timeout = 3600s
15	tls_random_source = dev:/dev/urandom
16
17	# SASL SUPPORT FOR CLIENTS
18	#
19	# The following options set parameters needed by Postfix to enable
20	# Cyrus-SASL support for authentication of mail clients.
21	#
22	broken_sasl_auth_clients = yes
23	smtpd_sasl_auth_enable = yes
24	smtpd_sasl_security_options = noanonymous
25	smtpd_data_restrictions = reject_unauth_pipelining
26	smtpd_sasl_local_domain =
27
28
29	This setup works here for 2 Years ...
30	Cheers
31
32	Joerg
33
34
35	<quote who="Joe Strusz">
36	> Whenever i telnet to port 25, and issue the AUTH PLAIN command i receive
37	> this:
38	>
39	> 538: Encryption required for requested authentication mechanism.
40	>
41	> What does this mean?
42	>
43	> I could really use some help on this... its been bugging me for weeks now.
44	>
45	> Also, I do have smtpd_tls_auth_only = yes line
46	>
47	>
48	> Please help
49	>
50	> blargh.
51	>
52	> Your fellow befumbled gentoo user.
53	>
54	>
55	>
56	>>X-Original-To: jstrusz@×××××.com
57	>>Delivered-To: jstrusz@×××××.com
58	>>Delivered-To: <gentoo-security@l.g.o>
59	>>Date: Wed, 05 Oct 2005 12:36:01 +0100
60	>>From: Jonathan Wright <mail@×××××××××.uk>
61	>>User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050822)
62	>>X-Accept-Language: en-us, en
63	>>List-Post: <mailto:gentoo-security@l.g.o>
64	>>List-Help: <mailto:gentoo-security+help@g.o>
65	>>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o>
66	>>List-Subscribe: <mailto:gentoo-security+subscribe@g.o>
67	>>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
68	>>X-BeenThere: gentoo-security@g.o
69	>>Reply-To: gentoo-security@l.g.o
70	>>To: gentoo-security@l.g.o
71	>>Subject: Re: [gentoo-security] postfix and SASL
72	>>X-Virus-Scanned: This message was scanned for viruses by ClamAV.
73	>>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5
74	>> tests=BAYES_00
75	>>X-Spam-Level:
76	>>
77	>>Benjamin A'Lee wrote:
78	>>>>Not sure but: why on port 25 and not on 465 ?
79	>>>I don't think it actually matters which port; IIRC it just enables
80	>>>STARTTLS by default on 465.
81	>>
82	>>Port 465 is for SSL (i.e. secure communication before any
83	>>application data is transferred) and Port 25 accepts TLS (where the
84	>>data is secured once both parties accept, however, application data
85	>>transfer has occurred).
86	>>
87	>>Anyway, with telnet you can't talk on port 465 :)
88	>>
89	>> > I have confirmed postfix is indeed compiled with SASL support. And i
90	>> > have TLS working great. However when i telnet to port 25 and issue
91	>> the
92	>> > ehlo command, i do receive the starttls etc... yet no AUTH PLAIN
93	>> > lines...
94	>>
95	>>Depending on the configuration, AUTH PLAIN can either be disabled,
96	>>or more likely, it's only send should STARTTLS be issued. I have the
97	>>following lines in my main.cf:
98	>>
99	>>-- cut -----------------------------------------
100	>># SMTPD SERVER CONTROLS
101	>>smtpd_sasl_auth_enable = yes
102	>>smtpd_sasl_security_options = noanonymous, noplaintext
103	>>broken_sasl_auth_clients = yes
104	>>smtpd_sasl_local_domain =
105	>>smtpd_recipient_restrictions = permit_sasl_authenticated,
106	>>permit_mynetworks, reject_unauth_destination
107	>>
108	>>smtpd_use_tls = yes
109	>>smtpd_tls_auth_only = yes
110	>>smtpd_tls_key_file = /etc/postfix/cacert/kenny.key
111	>>smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem
112	>>smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem
113	>>smtpd_tls_loglevel = 1
114	>>smtpd_tls_received_header = yes
115	>>smtpd_tls_session_cache_timeout = 3600s
116	>>tls_random_source = dev:/dev/urandom
117	>>-- cut -----------------------------------------
118	>>
119	>>TLS is enabled, but smtpd_tls_auth_only will only permit
120	>>authorization from clients who have issued (and successfully
121	>>negotiated) the STARTTLS comment.
122	>>
123	>>Also, you can define what methods Postfix accepts by modifying the
124	>>smtp_sasl_security_options directive.
125	>>
126	>>HTH,
127	>>
128	>>--
129	>> Jonathan Wright ~ mail at djnauk.co.uk
130	>> ~ www.djnauk.co.uk
131	>>--
132	>> 2.6.12-gentoo-r6-djnauk-b2 AMD Athlon(tm) XP 2100+
133	>> up 5 days, 3:02, 4 users, load average: 0.72, 0.97, 0.71
134	>>--
135	>> "I don't mind straight people as long as they act gay in
136	>> public."
137	>>
138	>> ~ T-shirt worn by Dennis Rodman of the Chicago Bulls
139	>>--
140	>>gentoo-security@g.o mailing list
141	>
142	>
143	> Joe Strusz
144	>
145	> IT Assistant
146	> Oxford Publishing, Inc.
147	> 307 West Jackson Avenue
148	> Oxford, MS 38655-2154
149	> 800-247-3881
150	> 662-236-5510x40
151	> jstrusz@×××××.com
152	> http://www.nightclub.com
153	>
154	>
155	> --
156	> gentoo-security@g.o mailing list
157	>
158	>
159
160
161	--
162	------------------------------------------------------------------------
163	\| Joerg Mertin : smurphy@××××××.org (Home)\|
164	\| in Forchheim/Germany : smurphy@×××××.de (Alt1)\|
165	\| Stardust's LiNUX System : \|
166	\| Web: http://www.solsys.org \|
167	------------------------------------------------------------------------
168	PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A
169
170
171
172	--
173	gentoo-security@g.o mailing list

Gentoo Archives: gentoo-security