Re: STARTTLS not announced?!
I do realize that this thread probably shouldn't be continued, however I see some gross miss-statements here that need correcting so that someone browsing the thread won't be mislead by them at a later time... On 06/16/2013 01:58 AM, Benny Pedersen wrote: smtpd_tls_auth_only (default: no) When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections. it does not say it disables auth anywhere, it just says it would not be possible to connect without starttls or not, No it disabled auth until STARTTLS is established. It has nothing to do with the connection. just becurse it seldom seen in real life that no one will send auth over an non tls/ssl does not mean it does not work It does not work if smtpd_tls_auth_only is set to yes. starttls is just for clients to use ssl/tls on port 25, Actually clients shouldn't use port 25, and neither should you be using auth on port 25. Clients will use STARTTLS on port 587, however, and both postfix and MUAs can be configured to use STARTTLS on any port you wish (via master.cf). email clients will not use starttls in 2013, Seriously? So how is an MUA intended to establish an encrypted connection to an MSA, then? since submission is the right thing anyway Submission is a port (587) which uses the (e)smtp protocol to submit messages from an MUA (email client) to an MSA (email submission server) and can use STARTTLS for encryption. There is no other way to do encryption on the submission port. it still not needed to use ssl/tls to make auth work It is if you set smtpd_tls_auth_only=yes. Peter
Re: STARTTLS not announced?!
Am Samstag, 15. Juni 2013, 04:03:44 schrieb Benny Pedersen: Jan Kohnert skrev den 2013-06-15 03:58: Well, no, it disables AUTH without tls/ssl but not STARTTLS, IIRC. starttls have nothing to do with auth or not Come on, read the documentation: http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only -- MfG Jan
Re: STARTTLS not announced?!
Jan Kohnert skrev den 2013-06-15 10:57: http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only do i need to tell it in --verbose ? starttls have nothing to do with auth, just becurse this option have tls and auth in one line does not make tls/ssl needed to make auth work -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: STARTTLS not announced?!
On 06/15/2013 12:13 PM, Benny Pedersen wrote: Jan Kohnert skrev den 2013-06-15 10:57: http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only do i need to tell it in --verbose ? starttls have nothing to do with auth, just becurse this option have tls and auth in one line does not make tls/ssl needed to make auth work Quoted from the above documentation: smtpd_tls_auth_only (default: no) When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections. In other words, yes, setting this option in conjunction with smtpd_tls_security_level = may *requires* TLS in order to AUTH. smtpd_tls_security_level = encrypt means the server will *reject* any commands that are not STARTTLS, until a TLS connection has been established. This includes AUTH. -- J.
Re: STARTTLS not announced?!
Jeroen Geilman skrev den 2013-06-15 15:35: Quoted from the above documentation: smtpd_tls_auth_only (default: no) When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections. it does not say it disables auth anywhere, it just says it would not be possible to connect without starttls or not, starttls on its own have nothing to do with auth or not check your own logs how many clients use starttls without auth just becurse it seldom seen in real life that no one will send auth over an non tls/ssl does not mean it does not work postfix have both auth and starttls, starttls is just for clients to use ssl/tls on port 25, email clients will not use starttls in 2013, since submission is the right thing anyway In other words, yes, setting this option in conjunction with smtpd_tls_security_level = may *requires* TLS in order to AUTH. smtpd_tls_security_level = encrypt means the server will *reject* any commands that are not STARTTLS, until a TLS connection has been established. This includes AUTH. it still not needed to use ssl/tls to make auth work -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: STARTTLS not announced?!
Benny Pedersen: Jeroen Geilman skrev den 2013-06-15 15:35: Quoted from the above documentation: smtpd_tls_auth_only (default: no) When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections. it does not say it disables auth anywhere, The server does not announce or accept AUTH, therefore AUTH it is disabled. Wietse
Re: STARTTLS not announced?!
wie...@porcupine.org skrev den 2013-06-15 16:13: The server does not announce or accept AUTH, therefore AUTH it is disabled. auth does not need starttls, if auth is not anounced then auth is disabled -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: STARTTLS not announced?!
smtpd_tls_auth_only (default: no) When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections. Benny Pedersen: auth does not need starttls, if auth is not anounced then auth is disabled AUTH requires STARTTLS with smtpd_tls_auth_only=yes. In view of your contributions in recent threads, you are one step away from removal from this mailing list. Wietse
STARTTLS not announced?!
Hi everyone, I just setup postfix on my server but I'm having a problem with TLS. I have TLS configured, there are no errors in the log, but the server does not announce TLS support.Here is the output relevant output from 'postconf -n', the full output is at the end of the message: --- smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_banner = $myhostname ESMTP smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem smtpd_tls_loglevel = 1 smtpd_tls_security_level = encrypt smtpd_use_tls = yes - Like I saidthe server does not announce STARTTLS: --- tantalum@3antar ~ % telnet sahara-sweets.com 25 Trying 176.58.120.55... Connected to sahara-sweets.com. Escape character is '^]'. 220 circuitsofimagination.com ESMTP EHLO test.com 250-circuitsofimagination.com 250-PIPELINING 250-SIZE 10485760 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN QUIT 221 2.0.0 Bye Connection closed by foreign host. --- Thanks everyone for their help.If there is any info that will help solving this issue I'd be happy to provide it. full output form postconf: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 header_checks = regexp:/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailbox_size_limit = 1073741824 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 10485760 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = circuitsofimagination.com myhostname = circuitsofimagination.com mynetworks = 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.9.6/README_FILES sample_directory = /usr/share/doc/postfix-2.9.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_banner = $myhostname ESMTP smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem smtpd_tls_loglevel = 1 smtpd_tls_security_level = encrypt smtpd_use_tls = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf virtual_gid_maps = static:89 virtual_mailbox_base = /var/mail/vhosts virtual_mailbox_domains = mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf virtual_mailbox_maps = mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf virtual_minimum_uid = 89 virtual_uid_maps = static:89 Nabil Alsharif.
Re: STARTTLS not announced?!
Nabil Alsharif skrev den 2013-06-15 01:57: please disable html smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtp_ is for sending smtpd_banner = $myhostname ESMTP smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_auth_only = yes this disable starttls since we already is using ssl/tls now smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem smtpd_tls_loglevel = 1 smtpd_tls_security_level = encrypt smtpd_use_tls = yes -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: STARTTLS not announced?!
Nabil Alsharif: Hi everyone, I just setup postfix on my server but I'm having a problem with TLS. I have TLS configured, there are no errors in the log, but the server does not announce TLS support.Here is the output relevant output from 'postconf -n', the full output is at the end of the message: Have you looked at all the warning messages in the maillog file? http://www.postfix.org/DEBUG_README.html#logging Wietse
Re: STARTTLS not announced?!
On 06/15/2013 02:38 AM, Benny Pedersen wrote: Nabil Alsharif skrev den 2013-06-15 01:57: please disable html My bad.. smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtp_ is for sending Ok so these two options are telling Postfix to check if STARTTLS is offered by the peer and use TLS if available, right? smtpd_banner = $myhostname ESMTP smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_auth_only = yes this disable starttls since we already is using ssl/tls now huh? This part I don't quite understand. How are we disabling TLS? Where was it enabled before? when we said smtp_use_tls = yes? smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem smtpd_tls_loglevel = 1 smtpd_tls_security_level = encrypt smtpd_use_tls = yes
Re: STARTTLS not announced?!
On 06/15/2013 02:39 AM, Wietse Venema wrote: Have you looked at all the warning messages in the maillog file? Yes I have, there are no errors or warnings. 'postfix check' doesn't return any warnings or errors either.
Re: STARTTLS not announced?!
On Sat, Jun 15, 2013 at 01:57:12AM +0200, Nabil Alsharif wrote: I just setup postfix on my server but I'm having a problem with TLS. I have TLS configured, there are no errors in the log, but the server does not announce TLS support.Here is the output relevant output from 'postconf -n', the full output is at the end of the message: smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtp_* settings control smtp(8), the SMTP client, so no, those are not relevant to the server's failure to announce STARTTLS. (Also, smtp_use_tls is deprecated, superceded by smtp_tls_security_level.) smtpd_banner = $myhostname ESMTP smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination Those aren't relevant either. (I'd suggest leaving the default $smtpd_banner setting, however.) smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem I'm no OpenSSL expert, but I'm pretty sure it's wrong to have your own server certificate and key in the same file with your CAs. See TLS_README.html#server_tls for basic server TLS settings. smtpd_tls_loglevel = 1 smtpd_tls_security_level = encrypt What? Do you understand what this means? It's not suitable for an Internet mail exchanger, because many sites will not use TLS (TLS isn't required for mail service.) smtpd_use_tls = yes Deprecated, superceded by smtpd_tls_security_level. Like I saidthe server does not announce STARTTLS: What you showed us should have announced STARTTLS. I would guess the problem is related to the single file certificate+key+CAs. Since you mentioned upthread that no errors are logged, check your syslogd (try restarting it.) These errors would be logged. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: STARTTLS not announced?!
Nabil Alsharif skrev den 2013-06-15 02:59: smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtp_ is for sending Ok so these two options are telling Postfix to check if STARTTLS is offered by the peer and use TLS if available, right? correct smtpd_banner = $myhostname ESMTP smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_auth_only = yes this disable starttls since we already is using ssl/tls now huh? This part I don't quite understand. How are we disabling TLS? Where was it enabled before? when we said smtp_use_tls = yes? it does not disable tls/ssl, but it removes starttls in plain connection without tls/ssl smtpd vs smtp confusion ? with that setting all smtpd_ clients must use tls or ssl smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem smtpd_tls_loglevel = 1 smtpd_tls_security_level = encrypt smtpd_use_tls = yes note here its recieving part of postfix not sending -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: STARTTLS not announced?!
/dev/rob0 skrev den 2013-06-15 03:22: What you showed us should have announced STARTTLS. I would guess the problem is related to the single file certificate+key+CAs. Since you mentioned upthread that no errors are logged, check your syslogd (try restarting it.) These errors would be logged. starttls have nothing to do with self signers -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: STARTTLS not announced?!
Am Samstag, 15. Juni 2013, 03:45:02 schrieb Benny Pedersen: Nabil Alsharif skrev den 2013-06-15 02:59: smtpd_tls_auth_only = yes this disable starttls since we already is using ssl/tls now huh? This part I don't quite understand. How are we disabling TLS? Where was it enabled before? when we said smtp_use_tls = yes? it does not disable tls/ssl, but it removes starttls in plain connection without tls/ssl Well, no, it disables AUTH without tls/ssl but not STARTTLS, IIRC. -- MfG Jan
Re: STARTTLS not announced?!
Jan Kohnert skrev den 2013-06-15 03:58: Well, no, it disables AUTH without tls/ssl but not STARTTLS, IIRC. starttls have nothing to do with auth or not auth users can still send plain passwords over unsecured smtpd client connections, starttls just secure there passwords, so tcpdumpers cant see it postfix still anounce auth on port 25 with sasl disabled in main.cf, here i have only sasl on submission / smtps bug ? -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: STARTTLS not announced?!
On Sat, Jun 15, 2013 at 03:45:02AM +0200, Benny Pedersen wrote: Nabil Alsharif skrev den 2013-06-15 02:59: smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtp_ is for sending Ok so these two options are telling Postfix to check if STARTTLS is offered by the peer and use TLS if available, right? correct smtp_tls_note_starttls_offer means to note (i.e., log) when a remote server offers STARTTLS. smtp_use_tls=yes is the same as (replaced by) smtp_tls_security_level=may. All of these are covered in the TLS_README.html (except for the deprecated settings, of course.) And none of this is relevant to the $SUBJECT at hand. smtpd_banner = $myhostname ESMTP smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_auth_only = yes this disable starttls since we already is using ssl/tls now Wrong, Benny. See postconf.5.html#smtpd_tls_auth_only and the correction posted by Jan, with which you tried to argue. huh? This part I don't quite understand. How are we disabling TLS? We're not. That was wrong. Where was it enabled before? when we said smtp_use_tls = yes? That deprecated setting is not relevant. it does not disable tls/ssl, but it removes starttls in plain connection without tls/ssl Also wrong. smtpd vs smtp confusion ? with that setting all smtpd_ clients must use tls or ssl With smtpd_tls_security_level=encrypt, yes; not with smtpd_tls_auth_only=yes. Wrong and misleading posts will not help. I think the OP will have to fix the logging problem before we can solve this issue. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: STARTTLS not announced?!
/dev/rob0 skrev den 2013-06-15 05:27: I think the OP will have to fix the logging problem before we can solve this issue. it would be more relative simple to use more default settings, if OP is unsure what to do sorry if i write it such it could be missunderstandelble :( -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
