OK, well i disabled the smtpd_tl_auth_only line.
And now whenever i try to connect via say outlook express on a client
machine...
I check the box that says, "my outgoing server requires
authentication", and i do get the password prompt, however whichever
login/password i try to use it gets rejected, over and over and over again...
any suggestions?
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Delivered-To: <[email protected]>
Date: Wed, 5 Oct 2005 15:15:22 +0200 (CEST)
Subject: Re: [gentoo-security] postfix and SASL
From: "Joerg Mertin" <[EMAIL PROTECTED]>
To: [email protected]
User-Agent: SquirrelMail/1.4.4
List-Post: <mailto:[email protected]>
List-Help: <mailto:[EMAIL PROTECTED]>
List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <mailto:[EMAIL PROTECTED]>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: [email protected]
Reply-To: [email protected]
X-Virus-Scanned: ClamAV scanned @ Stargate
X-MIME-Autoconverted: from quoted-printable to 8bit by
robin.gentoo.org id j95D76GO003964
X-Virus-Scanned: This message was scanned for viruses by ClamAV.
X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5 tests=BAYES_00
X-Spam-Level:
OK - as this seem to be quite difficutl for many - here my configuration
of postfix - TLS and SASL parts only:
## TLS
# Transport Layer Security
#
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/postfix/stargate.solsys.org.key
smtpd_tls_cert_file = /etc/ssl/postfix/stargate.solsys.org.crt
smtpd_tls_CAfile = /etc/ssl/postfix/stargate.solsys.org.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# SASL SUPPORT FOR CLIENTS
#
# The following options set parameters needed by Postfix to enable
# Cyrus-SASL support for authentication of mail clients.
#
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_sasl_local_domain =
This setup works here for 2 Years ...
Cheers
Joerg
<quote who="Joe Strusz">
> Whenever i telnet to port 25, and issue the AUTH PLAIN command i receive
> this:
>
> 538: Encryption required for requested authentication mechanism.
>
> What does this mean?
>
> I could really use some help on this... its been bugging me for weeks now.
>
> Also, I do have smtpd_tls_auth_only = yes line
>
>
> Please help
>
> blargh.
>
> Your fellow befumbled gentoo user.
>
>
>
>>X-Original-To: [EMAIL PROTECTED]
>>Delivered-To: [EMAIL PROTECTED]
>>Delivered-To: <[email protected]>
>>Date: Wed, 05 Oct 2005 12:36:01 +0100
>>From: Jonathan Wright <[EMAIL PROTECTED]>
>>User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050822)
>>X-Accept-Language: en-us, en
>>List-Post: <mailto:[email protected]>
>>List-Help: <mailto:[EMAIL PROTECTED]>
>>List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
>>List-Subscribe: <mailto:[EMAIL PROTECTED]>
>>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
>>X-BeenThere: [email protected]
>>Reply-To: [email protected]
>>To: [email protected]
>>Subject: Re: [gentoo-security] postfix and SASL
>>X-Virus-Scanned: This message was scanned for viruses by ClamAV.
>>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5
>> tests=BAYES_00
>>X-Spam-Level:
>>
>>Benjamin A'Lee wrote:
>>>>Not sure but: why on port 25 and not on 465 ?
>>>I don't think it actually matters which port; IIRC it just enables
>>>STARTTLS by default on 465.
>>
>>Port 465 is for SSL (i.e. secure communication before any
>>application data is transferred) and Port 25 accepts TLS (where the
>>data is secured once both parties accept, however, application data
>>transfer has occurred).
>>
>>Anyway, with telnet you can't talk on port 465 :)
>>
>> > I have confirmed postfix is indeed compiled with SASL support. And i
>> > have TLS working great. However when i telnet to port 25 and issue
>> the
>> > ehlo command, i do receive the starttls etc... yet no AUTH PLAIN
>> > lines...
>>
>>Depending on the configuration, AUTH PLAIN can either be disabled,
>>or more likely, it's only send should STARTTLS be issued. I have the
>>following lines in my main.cf:
>>
>>-- cut -----------------------------------------
>># SMTPD SERVER CONTROLS
>>smtpd_sasl_auth_enable = yes
>>smtpd_sasl_security_options = noanonymous, noplaintext
>>broken_sasl_auth_clients = yes
>>smtpd_sasl_local_domain =
>>smtpd_recipient_restrictions = permit_sasl_authenticated,
>>permit_mynetworks, reject_unauth_destination
>>
>>smtpd_use_tls = yes
>>smtpd_tls_auth_only = yes
>>smtpd_tls_key_file = /etc/postfix/cacert/kenny.key
>>smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem
>>smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem
>>smtpd_tls_loglevel = 1
>>smtpd_tls_received_header = yes
>>smtpd_tls_session_cache_timeout = 3600s
>>tls_random_source = dev:/dev/urandom
>>-- cut -----------------------------------------
>>
>>TLS is enabled, but smtpd_tls_auth_only will only permit
>>authorization from clients who have issued (and successfully
>>negotiated) the STARTTLS comment.
>>
>>Also, you can define what methods Postfix accepts by modifying the
>>smtp_sasl_security_options directive.
>>
>>HTH,
>>
>>--
>> Jonathan Wright ~ mail at djnauk.co.uk
>> ~ www.djnauk.co.uk
>>--
>> 2.6.12-gentoo-r6-djnauk-b2 AMD Athlon(tm) XP 2100+
>> up 5 days, 3:02, 4 users, load average: 0.72, 0.97, 0.71
>>--
>> "I don't mind straight people as long as they act gay in
>> public."
>>
>> ~ T-shirt worn by Dennis Rodman of the Chicago Bulls
>>--
>>[email protected] mailing list
>
>
> Joe Strusz
>
> IT Assistant
> Oxford Publishing, Inc.
> 307 West Jackson Avenue
> Oxford, MS 38655-2154
> 800-247-3881
> 662-236-5510x40
> [EMAIL PROTECTED]
> http://www.nightclub.com
>
>
> --
> [email protected] mailing list
>
>
--
------------------------------------------------------------------------
| Joerg Mertin : [EMAIL PROTECTED] (Home)|
| in Forchheim/Germany : [EMAIL PROTECTED] (Alt1)|
| Stardust's LiNUX System : |
| Web: http://www.solsys.org |
------------------------------------------------------------------------
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A
--
[email protected] mailing list
Joe Strusz
IT Assistant
Oxford Publishing, Inc.
307 West Jackson Avenue
Oxford, MS 38655-2154
800-247-3881
662-236-5510x40
[EMAIL PROTECTED]
http://www.nightclub.com
--
[email protected] mailing list
