From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EN9Hg-0000Yv-Ch for garchives@archives.gentoo.org; Wed, 05 Oct 2005 13:26:13 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id j95DE55P004041; Wed, 5 Oct 2005 13:14:05 GMT Received: from mout0.freenet.de (mout0.freenet.de [194.97.50.131]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j95D76GO003964 for ; Wed, 5 Oct 2005 13:07:06 GMT Received: from [194.97.55.147] (helo=mx4.freenet.de) by mout0.freenet.de with esmtpa (Exim 4.53-RC2) id 1EN97M-0006sF-NQ for gentoo-security@lists.gentoo.org; Wed, 05 Oct 2005 15:15:32 +0200 Received: from p5498103f.dip0.t-ipconnect.de ([84.152.16.63] helo=stargate.solsys.org) by mx4.freenet.de with esmtpa (ID joerg_mertin@freenet.de) (Exim 4.53 #4) id 1EN97M-0003lk-8J for gentoo-security@lists.gentoo.org; Wed, 05 Oct 2005 15:15:32 +0200 Received: from localhost (localhost.localdomain [127.0.0.1]) by stargate.solsys.org (Postfix) with ESMTP id C64FB3CC4B for ; Wed, 5 Oct 2005 15:15:32 +0200 (CEST) Received: from stargate.solsys.org ([127.0.0.1]) by localhost (stargate.solsys.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00865-04 for ; Wed, 5 Oct 2005 15:15:22 +0200 (CEST) Received: from stargate.solsys.org (stargate.solsys.org [192.168.2.2]) by stargate.solsys.org (Postfix) with ESMTP id 7BE163CC3E for ; Wed, 5 Oct 2005 15:15:22 +0200 (CEST) Received: from 80.146.243.75 (SquirrelMail authenticated user smurphy) by stargate.solsys.org with HTTP; Wed, 5 Oct 2005 15:15:22 +0200 (CEST) Message-ID: <31588.80.146.243.75.1128518122.squirrel@stargate.solsys.org> In-Reply-To: <6.2.3.4.0.20051005080634.01c63a70@op.oxpub.com> References: <6.2.3.4.0.20051005080634.01c63a70@op.oxpub.com> Date: Wed, 5 Oct 2005 15:15:22 +0200 (CEST) Subject: Re: [gentoo-security] postfix and SASL From: "Joerg Mertin" To: gentoo-security@lists.gentoo.org User-Agent: SquirrelMail/1.4.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: ClamAV scanned @ Stargate Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by robin.gentoo.org id j95D76GO003964 X-Archives-Salt: 14eccd60-5ab4-4419-93e2-e914facad7a4 X-Archives-Hash: fd9f9cd817f346c4c5ad77f4881301ef OK - as this seem to be quite difficutl for many - here my configuration of postfix - TLS and SASL parts only: ## TLS # Transport Layer Security # smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/ssl/postfix/stargate.solsys.org.key smtpd_tls_cert_file = /etc/ssl/postfix/stargate.solsys.org.crt smtpd_tls_CAfile = /etc/ssl/postfix/stargate.solsys.org.pem smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom # SASL SUPPORT FOR CLIENTS # # The following options set parameters needed by Postfix to enable # Cyrus-SASL support for authentication of mail clients. # broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_data_restrictions = reject_unauth_pipelining smtpd_sasl_local_domain = This setup works here for 2 Years ... Cheers Joerg > Whenever i telnet to port 25, and issue the AUTH PLAIN command i receive > this: > > 538: Encryption required for requested authentication mechanism. > > What does this mean? > > I could really use some help on this... its been bugging me for weeks now. > > Also, I do have smtpd_tls_auth_only = yes line > > > Please help > > blargh. > > Your fellow befumbled gentoo user. > > > >>X-Original-To: jstrusz@oxpub.com >>Delivered-To: jstrusz@oxpub.com >>Delivered-To: >>Date: Wed, 05 Oct 2005 12:36:01 +0100 >>From: Jonathan Wright >>User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050822) >>X-Accept-Language: en-us, en >>List-Post: >>List-Help: >>List-Unsubscribe: >>List-Subscribe: >>List-Id: Gentoo Linux mail >>X-BeenThere: gentoo-security@gentoo.org >>Reply-To: gentoo-security@lists.gentoo.org >>To: gentoo-security@lists.gentoo.org >>Subject: Re: [gentoo-security] postfix and SASL >>X-Virus-Scanned: This message was scanned for viruses by ClamAV. >>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5 >> tests=BAYES_00 >>X-Spam-Level: >> >>Benjamin A'Lee wrote: >>>>Not sure but: why on port 25 and not on 465 ? >>>I don't think it actually matters which port; IIRC it just enables >>>STARTTLS by default on 465. >> >>Port 465 is for SSL (i.e. secure communication before any >>application data is transferred) and Port 25 accepts TLS (where the >>data is secured once both parties accept, however, application data >>transfer has occurred). >> >>Anyway, with telnet you can't talk on port 465 :) >> >> > I have confirmed postfix is indeed compiled with SASL support. And i >> > have TLS working great. However when i telnet to port 25 and issue >> the >> > ehlo command, i do receive the starttls etc... yet no AUTH PLAIN >> > lines... >> >>Depending on the configuration, AUTH PLAIN can either be disabled, >>or more likely, it's only send should STARTTLS be issued. I have the >>following lines in my main.cf: >> >>-- cut ----------------------------------------- >># SMTPD SERVER CONTROLS >>smtpd_sasl_auth_enable = yes >>smtpd_sasl_security_options = noanonymous, noplaintext >>broken_sasl_auth_clients = yes >>smtpd_sasl_local_domain = >>smtpd_recipient_restrictions = permit_sasl_authenticated, >>permit_mynetworks, reject_unauth_destination >> >>smtpd_use_tls = yes >>smtpd_tls_auth_only = yes >>smtpd_tls_key_file = /etc/postfix/cacert/kenny.key >>smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem >>smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem >>smtpd_tls_loglevel = 1 >>smtpd_tls_received_header = yes >>smtpd_tls_session_cache_timeout = 3600s >>tls_random_source = dev:/dev/urandom >>-- cut ----------------------------------------- >> >>TLS is enabled, but smtpd_tls_auth_only will only permit >>authorization from clients who have issued (and successfully >>negotiated) the STARTTLS comment. >> >>Also, you can define what methods Postfix accepts by modifying the >>smtp_sasl_security_options directive. >> >>HTH, >> >>-- >> Jonathan Wright ~ mail at djnauk.co.uk >> ~ www.djnauk.co.uk >>-- >> 2.6.12-gentoo-r6-djnauk-b2 AMD Athlon(tm) XP 2100+ >> up 5 days, 3:02, 4 users, load average: 0.72, 0.97, 0.71 >>-- >> "I don't mind straight people as long as they act gay in >> public." >> >> ~ T-shirt worn by Dennis Rodman of the Chicago Bulls >>-- >>gentoo-security@gentoo.org mailing list > > > Joe Strusz > > IT Assistant > Oxford Publishing, Inc. > 307 West Jackson Avenue > Oxford, MS 38655-2154 > 800-247-3881 > 662-236-5510x40 > jstrusz@oxpub.com > http://www.nightclub.com > > > -- > gentoo-security@gentoo.org mailing list > > -- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust's LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A -- gentoo-security@gentoo.org mailing list