Re: [gentoo-security] postfix and SASL

Wed, 05 Oct 2005 04:42:36 -0700 

Benjamin A'Lee wrote:

Not sure but: why on port 25 and not on 465 ?


I don't think it actually matters which port; IIRC it just enables
STARTTLS by default on 465.



Port 465 is for SSL (i.e. secure communication before any application 
data is transferred) and Port 25 accepts TLS (where the data is secured 
once both parties accept, however, application data transfer has occurred).


Anyway, with telnet you can't talk on port 465 :)

> I have confirmed postfix is indeed compiled with SASL support.  And i
> have TLS working great.  However when i telnet to port 25 and issue the
> ehlo command, i do receive the starttls etc... yet no AUTH PLAIN
> lines...


Depending on the configuration, AUTH PLAIN can either be disabled, or 
more likely, it's only send should STARTTLS be issued. I have the 
following lines in my main.cf:


-- cut -----------------------------------------
# SMTPD SERVER CONTROLS
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous, noplaintext
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =

smtpd_recipient_restrictions = permit_sasl_authenticated, 
permit_mynetworks, reject_unauth_destination


smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/cacert/kenny.key
smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem
smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
-- cut -----------------------------------------


TLS is enabled, but smtpd_tls_auth_only will only permit authorization 
from clients who have issued (and successfully negotiated) the STARTTLS 
comment.



Also, you can define what methods Postfix accepts by modifying the 
smtp_sasl_security_options directive.


HTH,

--
 Jonathan Wright                           ~ mail at djnauk.co.uk
                                           ~ www.djnauk.co.uk
--
 2.6.12-gentoo-r6-djnauk-b2 AMD Athlon(tm) XP 2100+
 up 5 days,  3:02,  4 users,  load average: 0.72, 0.97, 0.71
--
 "I don't mind straight  people  as  long  as  they  act  gay  in
 public."

             ~ T-shirt worn by Dennis Rodman of the Chicago Bulls
--
[email protected] mailing list























					Reply via email to