On 04/02/2011 07:17 AM, Alex wrote:
Hi, I have a fedora14 box that I'm trying to configure for use with postfix with dovecot and TLS, permitting only TLS connections after authenticating with sasl.
What do you mean, *after* ?
It appears to mostly be working now, but mail is rejected due to "not owned by user" errors. Apr 2 01:03:54 fc14 postfix/smtpd[10284]: Anonymous TLS connection established from unknown[184.XXX.XX.223]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr 2 01:03:55 fc14 postfix/smtpd[10284]: NOQUEUE: reject: RCPT from unknown[184.XXX.XX.223]: 553 5.7.1<[email protected]>: Sender address rejected: not owned by user alex; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<184-XXX-XXX-223.pools.mycellphone.net>
You're not authenticated.
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders smtpd_sender_restrictions = reject_sender_login_mismatch
This rejects mail from SASL'ed clients who are not in the map AND non-SASL'ed clients who ARE in the map.
The above log line matches the latter condition, hence why it says that.
smtpd_tls_auth_only = yes
SASL is not offered before a secure connection is established.
smtpd_tls_security_level = encrypt
However, TLS is mandatory.
Are there any other options I should be concerned about with regards to security, and ensuring I don't become a relay or risk of unauthorized access?
Fix your client to properly use TLS AND THEN SASL. -- J.
