Re: [SOLVED] Dovecot with Postfix "no SASL authentication mechanisms"

Tue, 05 Sep 2023 01:26:21 -0700 


On 5/9/23 14:31, Michel Verdier wrote:

dovecot with PAM needs plaintext method. So if postfix disable it they
can't share a method.



You have to be careful to require any plaintext client password to 
travel over a TLS secured connection


smtpd_tls_auth_only = yes


More generally, it's good practice to use preferred ciphers and 
protocols. This is part of my postfix configuration:


# TLS parameters

tls_random_source = dev:/dev/urandom

smtpd_use_tls = yes
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

smtp_tls_security_level = may
smtpd_tls_ask_ccert = yes

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes

smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem

smtp_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# From Redhat
# Alternat Protocols TLSv1.2 only

smtpd_tls_mandatory_protocols = !SSLv2
smtpd_tls_protocols = !SSLv2
smtp_tls_mandatory_protocols = !SSLv2
smtp_tls_protocols = !SSLv2

# Ciphers

# Currently recommended ciphers, excluding DES-based ciphers to avoid 
SWEET32 attack

# and remove SHA1-based ciphers, leaves SHA256 & SHA256 variations

smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2


tls_high_cipherlist = 
kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SHA


smtp_tls_ciphers = high
smtpd_tls_ciphers = high

# End from Redhat

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org























					Reply via email to