Re: postfix almost configured but ..

From: David Ballano (no email)
Date: Wed Sep 24 2008 - 16:28:21 EDT

  • Next message: mouss: "Re: postfix almost configured but .."

    2008/9/24 mouss <>:
    > David Ballano wrote:
    >>
    >> Hello everybody,
    >>
    >>
    >>
    >> I have almost setup my postfix, that's what I've done.
    >>
    >> configured postfix with TLS SASL2 via pam (saslauthd) with virtual
    >> domains and unix accounts that's my main.cf
    >>
    >>
    >> --------------------------------------------------------------------
    >> # See /usr/share/postfix/main.cf.dist for a commented, more complete
    >> version
    >>
    >>
    >> # Debian specific: Specifying a file name will cause the first
    >> # line of that file to be used as the name. The Debian default
    >> # is /etc/mailname.
    >> #myorigin = /etc/mailname
    >>
    >> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    >> biff = no
    >>
    >> # appending .domain is the MUA's job.
    >> append_dot_mydomain = no
    >>
    >> # Uncomment the next line to generate "delayed mail" warnings
    >> #delay_warning_time = 4h
    >>
    >> # TLS parameters
    >> smtpd_tls_cert_file=/etc/ssl/certs/server.crt
    >> smtpd_tls_key_file=/etc/ssl/certs/server.key
    >>
    >> smtpd_use_tls=yes
    >> smtpd_tls_auth_only=yes
    >> smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    >> smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    >>
    >> # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    >> # information on enabling SSL in the smtp client.
    >>
    >> myhostname = orion.ballano.net
    >> alias_maps = hash:/etc/aliases
    >> alias_database = hash:/etc/aliases
    >> #myorigin = /etc/mailname
    >> mydestination = orion.ballano.net, localhost.ballano.net, localhost
    >> relayhost =
    >> mynetworks = 127.0.0.0/8
    >> mailbox_size_limit = 0
    >> recipient_delimiter = +
    >> inet_interfaces = all
    >>
    >> home_mailbox = Maildir/
    >> virtual_alias_domains = ballano.net
    >> virtual_alias_maps = hash:/etc/postfix/virtual
    >>
    >> smtpd_sasl_path = smtpd
    >> smtpd_sasl_auth_enable = yes
    >> smtpd_sasl_security_options = noanonymous
    >> smtpd_recipient_restrictions = permit_mynetworks,
    >> permit_sasl_authenticated, reject_unauth_destination
    >>
    >> ----------------------------------------------------------------------------------
    >>
    >> my virtual file:
    >>
    >> ---------------------------------------------------
    >> cat /etc/postfix/virtual
    >>
    >> ---------------------------------------------------------
    >>
    >> and my smtpd.conf file
    >> ----------------------------------------------------------
    >> pwcheck_method: saslauthd
    >> mech_list: plain login
    >> ----------------------------------------------------------
    >>
    >>
    >> I even installed courier-pop-ssl with my certificates an is working ok.
    >>
    >> but here is something I think is not going ok. with this method of
    >> auth saslauth I read that only I can use plain and login mech's but
    >> that's no problem because I configured tls for stmp.
    >>
    >> but what happens if some client don't use tls?
    >
    > They will not see the AUTH keyword, so they wwon't have the opportunity to
    > send a login:password.
    >
    >> I tried, and without
    >> tls can't send mail to other domains (relay acces denied), but I can
    >> send mails to myself is that normal?
    >
    > anybody can send mail to any domain hosted on your postfix. otherwise, how
    > would I send you mail? reject_unauth_destination denies relay, not inbound
    > mail.
    >
    >> I'm a bit confused because if
    >> some client don't use tls someone can get passwords
    >
    > which passwords? your setup requires TLS for authentication. you can check
    > that with telnet:
    >
    > $ telnet correo.ballano.net 25
    > Trying 66.197.149.93...
    > Connected to correo.ballano.net.
    > Escape character is '^]'.
    > 220 orion.ballano.net ESMTP Postfix (Debian/GNU)
    > EHLO imlil.netoyen.net
    > 250-orion.ballano.net
    > 250-PIPELINING
    > 250-SIZE 10240000
    > 250-VRFY
    > 250-ETRN
    > 250-STARTTLS
    > 250-ENHANCEDSTATUSCODES
    > 250-8BITMIME
    > 250 DSN
    > quit
    > 221 2.0.0 Bye
    > Connection closed by foreign host.
    >
    > but with TLS:
    > $ openssl s_client -starttls smtp -connect correo.ballano.net:25
    > ...
    > EHLO imlil.netoyen.net
    > 250-orion.ballano.net
    > 250-PIPELINING
    > 250-SIZE 10240000
    > 250-VRFY
    > 250-ETRN
    > 250-AUTH LOGIN PLAIN
    > 250-ENHANCEDSTATUSCODES
    > 250-8BITMIME
    > 250 DSN
    > quit
    > 221 2.0.0 Bye
    > ...
    >

    ok, now I understand, so if someone don't use TLS, my server don't
    show AUTH (like I can see above) keyword and they can't put a user
    and pass.
    but with tls smtp accepts AUTH
    >
    >
    >> and send mails
    >> not outside but inside.
    >>
    >> is there a solution for that?,
    >
    > There is no problem.
    >
    >> maybe telling postfix always to use
    >> tls, and if client not use tls reject the email, how?
    >
    > you want to get mail from the public internet or is this a private mail
    > server? if this is a public server, you can't require TLS.

    is a public server, I mean I get mails from internet, and people can
    use it from outside.
    so tls is required, isn't

    >
    >>
    >> thank you guys, I'm learning a lot with your help.
    >> David.
    >>
    >> PD: here is my postconf -n by the way...
    >>
    >> orion:~# postconf -n
    >> alias_database = hash:/etc/aliases
    >> alias_maps = hash:/etc/aliases
    >> append_dot_mydomain = no
    >> biff = no
    >> config_directory = /etc/postfix
    >> home_mailbox = Maildir/
    >> inet_interfaces = all
    >> mailbox_size_limit = 0
    >> mydestination = orion.ballano.net, localhost.ballano.net, localhost
    >> myhostname = orion.ballano.net
    >> mynetworks = 127.0.0.0/8
    >> recipient_delimiter = +
    >> relayhost =
    >> smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    >> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    >> smtpd_recipient_restrictions = permit_mynetworks,
    >> permit_sasl_authenticated, reject_unauth_destination
    >> smtpd_sasl_auth_enable = yes
    >> smtpd_sasl_path = smtpd
    >> smtpd_sasl_security_options = noanonymous
    >> smtpd_tls_auth_only = yes
    >> smtpd_tls_cert_file = /etc/ssl/certs/server.crt
    >> smtpd_tls_key_file = /etc/ssl/certs/server.key
    >> smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    >> smtpd_use_tls = yes
    >> virtual_alias_domains = ballano.net
    >> virtual_alias_maps = hash:/etc/postfix/virtual
    >
    >


  • Next message: mouss: "Re: postfix almost configured but .."





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD