On 26 Jun 2016, at 15:55, E M Recio wrote:
So I have TLS and AUTH working just fine in almost every email client
that I use. I have confirmed that it's encrypted, and authenticating
correctly, so my settings are OK (for those two things used together).
The problem I am having is when enabling the following feature:
smtpd_tls_auth_only = yes
So I know that it's NOT supposed to show AUTH capability until /after/
the client does STARTTLS. So the client does a STARTTLS, issues
another EHLO and according to the debugs, there /still/ is no AUTH
capability reported.
I have used the openssl client, and debug peer parameter to confirm
this bug (or misconfiguration on my part).
I'd bet on the latter, BUT since you've not included 'postconf -n'
output and the relevant lines from master.cf, no one can possibly know.
See the last section of the Postfix DEBUG_README file for more tips on
what information to include when seeking assistance from this mailing
list in the fewest number of steps. The ways that one can make AUTH not
show up are too many for random guessing to be worthwhile; narrow the
range of possibilities for us, please...
Note the following two examples.
1) using openssl client
2) using debug peer
===================================================================
1) using the openssl client, note after 250 DSN, STARTTLS is not
available because we're already in it, so this is the second EHLO I
manually issue, and still no AUTH:
# openssl s_client -host 10.174.4.235 -port 25 -starttls smtp
Why would you even WANT to support AUTH on port 25? For most systems it
only makes sense on port 587 for initial submission. On a well-run
modern mail system port 25 is only for server-to-server transport, so it
does not usually make sense to offer or support AUTH on port 25. There
is also much more AUTH brute-force attack traffic on port 25 than on 587
(because spammers are stupid) so enabling it there is like
wearing a "Kick Me" sign.
(and yes, I know 10.* is private. If that also universally meant
"unexposed" you'd have no reason to be asking this...)
