Re: auth service over tls
I was testing a bit this setup of putting them in different servers, since these options are implemented. What I was not sure was if they support TLS as well. So Postfix-Dovecot SASL AUTH is not supported. Is TLS LMTP supported between Postfix and Dovecot? I see that Dovecot LMTP supports a TLS connection, but not sure if Postfix can make the TLS initial request. I just could exchange data over LMTP in plain (no TLS) between Postfix and Dovecot. Regards, Ibra On Thu, 16 Nov 2023 at 12:28, Nick Lockheart wrote: Are Postfix and Dovecot running on the same server? If so, you might be better served by connecting with a UNIX socket rather than TCP. I'm not sure there is much security benefit to using TLS on the loopback interface which is what was in your example from the previous email. And to clarify, Postfix supports TLS for authentication between an email program like Thunderbird and the Postfix server, but does not support TLS for the SASL AUTH *service* connection from Postfix to the AUTH provider (Dovecot or Cyrus-SASL). Also, please use the group reply function so your email goes to the list, this email only went to me. On Thu, 2023-11-16 at 09:38 +, ibra wrote: Good Morning, thank you for your fast response, and sorry to not answer before, I forgot to check spam folder. Good to know that postfix does not support SASL AUTH over TLS, because actually I was planning to use it. I started with Dovecot to check if auth port support tls. For that I launched tls handshake using openssl, like this command: $ openssl s_client -servername mail.sample.com -connect localhost:12345 But I got an error. (In summary Dovecot ends the connection). Anyway, it would be awesome that in the future both Postfix and Dovecot could support it. On LMTP port, tls handshake worked in Dovecot side, now I have to configure Postfix to make the request to dovecot LMTP over tls. With Postfix I was able to send data to Dovecot LMTP port, but was not over TLS. Do you know what settings should I enable in Postfix side? Regards Ibra. On Wed, 15 Nov 2023 at 11:08, Nick Lockheart wrote: On Wed, 2023-11-15 at 10:00 +, ibra wrote: Hi, I'm trying running tls connections for both auth and lmtp services. For lmtp it is ok, for auth service I couldnt make it. I configure dovecot with the next configuration in file "conf.d/ 10-myconfig.conf": Which MTA are you trying to connect from? Postfix does not support SASL AUTH over TLS, for example. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: auth service over tls
hameos@gmail.com skrev den 2023-11-17 13:10: Ok ok, so the conversation is done. Just checking if it allows you to introduce other commands. just stop using telnet if tls is tested, use openssl s_client is the only supported DEBUG tool, dont add debug in config if not asked ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: auth service over tls
Ok ok, so the conversation is done. Just checking if it allows you to introduce other commands. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: auth service over tls
> On 17/11/2023 13:55 EET hameos@gmail.com wrote: > > > Yep, testing purpose. In my config i set both lmtp and auth services with > "ssl = yes", and then launch a client TLS connection: > openssl s_client -servername mail.sample.com -connect localhost:12345 > (and in port 24) > What I saw is: > - port 24 port (lmtp) - TLS handshake was done > - 12345 port (SASL auth) - Error version > > So later I did: > $ telnet localhost 12345 > > Below is the trace of the conversation, where is what server returns > me, and is the command I introduced. > Note: spaces showed below are , like specified here > https://doc.dovecot.org/developer_manual/design/auth_protocol/ > > VERSION 1 2 > MECH PLAIN plaintext > MECH LOGIN plaintext > SPID 478 > CUID 11 > COOKIE 37fefe8d32a7efd948538b7a33067e2d > DONE > VERSION 1 0 > CPID 87 > AUTH 11 LOGIN service=smtp debug > AUTH 11 LOGIN service=smtp debug > CONT 11 VXNlcm5hbWU6 > CONT 11 dGVzdA== > CONT 11 UGFzc3dvcmQ6 > CONT 11 ZBmtdC== > OK 11 user=test > > So now what? How can I list the commands available? I didn't see in the docs > where to find this info. Not sure what "commands" you are after? The OK 11 says it's succeeded for user test. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: auth service over tls
Yep, testing purpose. In my config i set both lmtp and auth services with "ssl = yes", and then launch a client TLS connection: openssl s_client -servername mail.sample.com -connect localhost:12345 (and in port 24) What I saw is: - port 24 port (lmtp) - TLS handshake was done - 12345 port (SASL auth) - Error version So later I did: $ telnet localhost 12345 Below is the trace of the conversation, where is what server returns me, and is the command I introduced. Note: spaces showed below are , like specified here https://doc.dovecot.org/developer_manual/design/auth_protocol/ VERSION 1 2 MECH PLAIN plaintext MECH LOGIN plaintext SPID 478 CUID 11 COOKIE 37fefe8d32a7efd948538b7a33067e2d DONE VERSION 1 0 CPID 87 AUTH 11 LOGIN service=smtp debug AUTH 11 LOGIN service=smtp debug CONT 11 VXNlcm5hbWU6 CONT 11 dGVzdA== CONT 11 UGFzc3dvcmQ6 CONT 11 ZBmtdC== OK 11 user=test So now what? How can I list the commands available? I didn't see in the docs where to find this info. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: auth service over tls
ibra skrev den 2023-11-15 11:00: Is something else I'm missing? rfc 1700 rfc 1918 tls on loopback is imho overkill, if just was an example ok :=) use mta if more lmtp connections is in need, eq dont open port 24 poblic on dovecot ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org