So I have TLS and AUTH working just fine in almost every email client
that I use. I have confirmed that it's encrypted, and authenticating
correctly, so my settings are OK (for those two things used together).
The problem I am having is when enabling the following feature:
smtpd_tls_auth_only = yes
So I know that it's NOT supposed to show AUTH capability until /after/
the client does STARTTLS. So the client does a STARTTLS, issues another
EHLO and according to the debugs, there /still/ is no AUTH capability
reported.
I have used the openssl client, and debug peer parameter to confirm this
bug (or misconfiguration on my part). Note the following two examples.
1) using openssl client
2) using debug peer
===================================================================
1) using the openssl client, note after 250 DSN, STARTTLS is not
available because we're already in it, so this is the second EHLO I
manually issue, and still no AUTH:
# openssl s_client -host 10.174.4.235 -port 25 -starttls smtp
CONNECTED(00000003)
... OpenSSL Details ...
---
250 DSN
EHLO foo.example.com
250-bar.example.com
250-PIPELINING
250-SIZE
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
===================================================================
2) Using the debug_peer parameter. I am omitting most of the back end
SSL stuff. Notice the first EHLO, it initiates the STARTTLS, then it
issues another EHLO and no STARTTLS, AND it has no AUTH:
connect from 6.8.8.234.pools.example.net[6.8.8.234]
smtp_stream_setup: maxtime=300 enable_deadline=0
match_hostname: 6.8.8.234.pools.example.net ~? 192.168.4.0/24
match_hostaddr: 6.8.8.234 ~? 192.168.4.0/24
match_hostname: 6.8.8.234.pools.example.net ~? 127.0.0.0/8
match_hostaddr: 6.8.8.234 ~? 127.0.0.0/8
match_list_match: 6.8.8.234.pools.example.net: no match
match_list_match: 6.8.8.234: no match
auto_clnt_open: connected to private/anvil
send attr request = connect
send attr ident = smtp:6.8.8.234
private/anvil: wanted attribute: status
input attribute name: status
input attribute value: 0
private/anvil: wanted attribute: count
input attribute name: count
input attribute value: 1
private/anvil: wanted attribute: rate
input attribute name: rate
input attribute value: 1
private/anvil: wanted attribute: (list terminator)
input attribute name: (end)
220 foo.example.org ESMTP
watchdog_pat: 0x556d0692d6e0
EHLO [29.97.162.234]
match_list_match: 6.8.8.234.pools.example.net: no match
match_list_match: 6.8.8.234: no match
250-foo.example.org
250-PIPELINING
250-SIZE
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
watchdog_pat: 0x556d0692d6e0
STARTTLS
220 2.0.0 Ready to start TLS
setting up TLS connection from 6.8.8.234.pools.example.net[6.8.8.234]
TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
send attr request = seed
... SSL STUFF ...
TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
watchdog_pat: 0x556d0692d6e0
EHLO [29.97.162.234]
match_list_match: 6.8.8.234.pools.example.net: no match
match_list_match: 6.8.8.234: no match
250-foo.example.org
250-PIPELINING
250-SIZE
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
watchdog_pat: 0x556d0692d6e0
