Re: postfix ldap sasl digest-md5 and external clients

From: Dennis Matotek (no email)
Date: Mon Sep 12 2005 - 20:26:00 EDT

  • Next message: Dennis Matotek: "Re: postfix ldap sasl digest-md5 and external clients"

    You are right, it is the client. Both scenarios are evolution clients
    (2.0.4) on the same machine (external going out through a separate
    network to the external side of the smtp). Internally it works fine,
    externally it is borked!

    But since then I have tested with Outlook and mozilla clients and they
    work fine. Except that I have to change some of the security features
    I wanted to have.

    In main.cf I had to remove the following to get outlook to work:
    #smtpd_helo_restrictions = check_helo_access
    hash:/etc/postfix/helo_access,reject_invalid_hostname,reject_non_fqdn_hostname
    and change:
    smtpd_helo_required = yes to no

    How can I make this as secure as possible without restricting the
    clients I can use (outlook refused to send a fully qualified domain
    name)? What are the implications of the current settings? What should
    I change? I thought evolution used standards when it came to smtp,
    does anyone know why it is so screwed?

    ------------------- postconf -n ----------------------
    alias_maps = hash:/etc/postfix/aliases
    broken_sasl_auth_clients = yes
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    content_filter = smtp-amavis:[localhost]:10024
    daemon_directory = /usr/lib/postfix
    delay_warning_time = 4h
    html_directory = /usr/share/doc/postfix-2.1.5/html
    mail_owner = postfix
    mailq_path = /usr/bin/mailq.postfix
    manpage_directory = /usr/share/man
    message_size_limit = 31457280
    myhostname = mail.utiba.com.au
    mynetworks = 192.168.0.0/16, 172.16.0.0/29, 127.0.0.0/8, 202.45.117.231/32
    mynetworks_style = subnet
    myorigin = utiba.com.au
    newaliases_path = /usr/bin/newaliases.postfix
    queue_directory = /var/spool/postfix
    readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
    relay_domains = utiba.com,utiba.com.au,cpc.net.au,mobilemadness.com.au
    sample_directory = /usr/share/doc/postfix-2.1.5/samples
    sendmail_path = /usr/sbin/sendmail.postfix
    setgid_group = postdrop
    smtp_use_tls = yes
    smtpd_banner = Dont make me hit you..
    smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_delay_reject = no
    smtpd_helo_required = no
    smtpd_recipient_restrictions =
    permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
    smtpd_sasl_security_options = noanonymous,noplaintext
    smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem
    smtpd_tls_auth_only = no
    smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.crt
    smtpd_tls_key_file = /etc/ssl/postfix/smtpd.key
    smtpd_tls_loglevel = 3
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_use_tls = yes
    strict_rfc821_envelopes = yes
    tls_random_source = dev:/dev/urandom
    transport_maps = hash:/etc/postfix/transport
    unknown_local_recipient_reject_code = 450
    virtual_alias_maps = hash:/etc/postfix/virtual
    ----------------------------------------

    Thanks very much,
    Den
    On 9/13/05, Andreas Winkelmann <> wrote:
    > Am Monday 12 September 2005 01:41 schrieb Dennis Matotek:
    >
    >
    > > log of successful internal client
    >
    > >f-8 Sep 12 09:15:02 scan1 postfix/smtpd[32470]: SASL authentication misc:
    > > DIGEST-MD5 server step 2
    > > Sep 12 09:15:02 scan1 postfix/smtpd[32470]: smtpd_sasl_authenticate:
    > > uncoded challenge: rspauth=cd10edd3544b63793111e50d7a2895b4
    > > Sep 12 09:15:02 scan1 postfix/smtpd[32470]: > unknown[192.168.1.30]:
    > > 334 cnNwYXV0aD1jZDEwZWRkMzU0NGI2Mzc5MzExMWU1MGQ3YTI4OTViNA==
    > > Sep 12 09:15:02 scan1 postfix/smtpd[32470]: vstream_fflush_some: fd 20
    > > flush 62 Sep 12 09:15:02 scan1 postfix/smtpd[32470]: vstream_buf_get_ready:
    > > fd 20 got 2 Sep 12 09:15:02 scan1 postfix/smtpd[32470]: <
    > > unknown[192.168.1.30]: Sep 12 09:15:02 scan1 postfix/smtpd[32470]:
    > > smtpd_sasl_authenticate: decoded response:
    > > Sep 12 09:15:02 scan1 postfix/smtpd[32470]: > unknown[192.168.1.30]:
    > > 235 Authentication successful
    > > ---------------end----------------
    > >
    > > unsucessful external client (same username and password)
    > > ------------unsuccessful-------
    >
    > >-8 Sep 12 09:19:50 scan1 postfix/smtpd[32519]: SASL authentication misc:
    > > DIGEST-MD5 server step 2
    > > Sep 12 09:19:50 scan1 postfix/smtpd[32519]: >
    > > dsl-202-45-117-231.VIC.netspace.net.au[202.45.117.231]: 535 Error:
    > > authentication failed
    > > Sep 12 09:19:50 scan1 postfix/smtpd[32519]: watchdog_pat: 0x8085cd0
    > > Sep 12 09:19:50 scan1 postfix/smtpd[32519]: vstream_fflush_some: fd 20
    > > flush 34 ---------------end---------------
    >
    > What is the difference on the Client-Side? Internal / External.
    > Did you test another MUA? AFAIR Mutt has in early Versions problems with a
    > MD5-Mechanism.
    >
    > --
    > Andreas
    >


  • Next message: Dennis Matotek: "Re: postfix ldap sasl digest-md5 and external clients"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD