On Thu, Jul 24, 2008 at 11:00:32PM -0500, Noel Jones wrote:
> >But it still accepts anonymous logins:
> >postfix/smtpd[29015]: Anonymous TLS connection established
> >and the delivery goes through.
>
> Hold on a minute... Anonymous TLS connection does *not* imply
> anonymous SASL authentication. Anonymous TLS is normal and
> expected; it just says your client doesn't have it's own
> security certificate.
More specifically, the cipher-suite selected by the client and server
does not make use of any certificates. The client was not interested
in authenticating the server, offered anonymous TLS ciphers, and the
server accepted this. Nothing wrong with this.
$ openssl ciphers -v 'ALL+aNULL:!EXPORT:@STRENGTH'
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5
ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1
The most frequently used cipher in this context with OpenSSL 0.9.[78]
is ADH-AES256-SHA.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[EMAIL PROTECTED]>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
