On Thu, Jul 24, 2008 at 11:00:32PM -0500, Noel Jones wrote: > >But it still accepts anonymous logins: > >postfix/smtpd[29015]: Anonymous TLS connection established > >and the delivery goes through. > > Hold on a minute... Anonymous TLS connection does *not* imply > anonymous SASL authentication. Anonymous TLS is normal and > expected; it just says your client doesn't have it's own > security certificate.
More specifically, the cipher-suite selected by the client and server does not make use of any certificates. The client was not interested in authenticating the server, offered anonymous TLS ciphers, and the server accepted this. Nothing wrong with this. $ openssl ciphers -v 'ALL+aNULL:!EXPORT:@STRENGTH' ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1 ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1 ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1 ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5 ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1 The most frequently used cipher in this context with OpenSSL 0.9.[78] is ADH-AES256-SHA. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:[EMAIL PROTECTED]> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.