SMTP AUTH, TLS, simplest way?
[This message has also been posted to linux.debian.user.]
I've got Postfix with amavis-new and Spamassassin,
and my LAN users access email via Dovecot's IMAP/S.
All working well, using the Etch packages.
Now I'll need to support a couple of mobile users. They'll
be connecting at insecure wi-fi hotspots, and need to
send through my Postfix. Typical windows and Linux clients:
MS-OE, Thunderbird, etc.
Packages installed include
libssl-dev libssl0.9.7 libssl0.9.8 openssl ssl-cert
libgnutls-dev libgnutls11 libgnutls13
dovecot-common dovecot-imapd dovecot-pop3d
postfix
libsasl2 libsasl2-2 libsasl2-dev libsasl2-modules sasl2-bin
I made a local cert and key with openssl, and tested
them. The relevant stanza from master.cf is
submission inet n - n - - smtpd
-o smtpd_use_tls=yes
-o smtpd_tls_auth_only=yes
-o smtpd_tls_key_file=/etc/postfix/postfix_private_key.pem
-o smtpd_tls_cert_file=/etc/postfix/postfix_public_cert.pem
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o broken_sasl_auth_clients=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
When I send through an SMTP+TLS client, Kmail, this appears in
the Postfix log:
Jul 27 10:22:00 hostname postfix/smtpd[4892]: warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in
Jul 27 10:22:00 hostname postfix/smtpd[4892]: connect from myotherdomain.org[66.159.nnn.nnn]
Jul 27 10:22:01 hostname postfix/smtpd[4892]: lost connection after UNKNOWN from myotherdomain.org[66.159.nnn.nnn]
Jul 27 10:22:01 hostname postfix/smtpd[4892]: disconnect from myotherdomain.org[66.159.nnn.nnn]
The error dialog from Kmail says:
Sending failed:
Your SMTP server does not support authentication.
The server responded: "5.5.2 Error: command not recognized"
The message will stay in the 'outbox' folder until you either
fix the problem (e.g. a broken address) or
remove the message from the 'outbox' folder.
The following transport protocol was used:
send via TLS submission on hostname
Obviously I'm missing something. My first thougth was "get SASL support,"
but I don't see a separate postfix package for that. postconf -a says
cyrus
dovecot
postconf | egrep '(^tls|^smtpd_tls|smtpd_sasl)' says
smtpd_sasl_auth_enable = no
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 5
smtpd_tls_cert_file =
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_exclude_ciphers =
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level =
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
tls_daemon_random_bytes = 32
tls_export_cipherlist = ALL:+RC4:@STRENGTH
tls_high_cipherlist = ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
tls_low_cipherlist = ALL:!EXPORT:+RC4:@STRENGTH
tls_medium_cipherlist = ALL:!EXPORT:!LOW:+RC4:@STRENGTH
tls_null_cipherlist = !aNULL:eNULL+kRSA
tls_random_bytes = 32
tls_random_exchange_name = ${queue_directory}/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
/etc/postfix/sasl/smtpd.conf contains:
# Global parameters
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
So what did I miss?
tx
Cameron
Reply to: