SASL configuration woes

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

SASL configuration woes

Stephen Holmes-2
Hi PostFixers,

I'm now running postfix/dovecot/mysql in SUSE Linux Enterprise 10 SP2
and I wanted to secure the SMTP connections.  I've tried to follow one
or more tutorials, but so far to no avail.  The server is up and running
and Thunderbird seems to use SMTP over TLS but when I issue a telnet
localhost 25 I get...

220 mail.gallopinggreen.com NO UCE ESMTP
EHLO localhost
250-mail.gallopinggreen.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

I can see the STARTTLS, but not the AUTH statements.  My postconf output
is..

biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
default_process_limit = 3
html_directory = /usr/share/doc/packages/postfix23/html
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost, localhost.localdomain
mydomain = gallopinggreen.com
myhostname = mail.gallopinggreen.com
mynetworks = 172.17.3.0/24
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix23/README_FILES
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname NO UCE ESMTP
smtpd_delay_reject = no
smtpd_error_sleep_time = 60
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,  reject_non_fqdn_hostname,
reject_non_fqdn_sender,  reject_non_fqdn_recipient,
reject_unauth_destination,  reject_unauth_pipelining,
reject_invalid_hostname,  reject_rbl_client list.dsbl.org,
reject_rbl_client bl.spamcop.net,  reject_rbl_client sbl-xbl.spamhaus.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 60
smtpd_tls_CAfile = /etc/SSL/gallopinggreen.com.cacert
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/SSL/gallopinggreen.com.cert
smtpd_tls_key_file = /etc/SSL/gallopinggreen.com.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = mysql:/etc/postfix/mysql/transport-maps.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql/virtual-alias-maps.cf
virtual_gid_maps = static:vmail
virtual_mailbox_base = /vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql/virtual-mailbox-maps.cf
virtual_minimum_uid = 5000
virtual_uid_maps = static:vmail

Is there anything wrong here that you gurus can see?  Thanks for your
help and guidance to date!
Steve.


--
s  t  e  p  h  e  n     h  o  l  m  e  s
stephen [at] gallopinggreen [dot] com

cell: +353 86 833 5027
skype: stephen.holmes
twitter: nonsequitir
web: http://www.gallopinggreen.com

Reply | Threaded
Open this post in threaded view
|

Re: SASL configuration woes

Jorey Bump
Stephen Holmes wrote, at 10/03/2008 11:44 AM:

> Hi PostFixers,
>
> I'm now running postfix/dovecot/mysql in SUSE Linux Enterprise 10 SP2
> and I wanted to secure the SMTP connections.  I've tried to follow one
> or more tutorials, but so far to no avail.  The server is up and running
> and Thunderbird seems to use SMTP over TLS but when I issue a telnet
> localhost 25 I get...
>
> 220 mail.gallopinggreen.com NO UCE ESMTP
> EHLO localhost
> 250-mail.gallopinggreen.com
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
>
> I can see the STARTTLS, but not the AUTH statements.  My postconf output
> is..

> smtpd_tls_auth_only = yes

You've wisely configured postfix to offer AUTH only via STARTTLS, so it
won't appear until the session is renegotiated and encrypted. telnet is
not up to troubleshooting this task. You've confirmed with a client that
it works, but you can also use openssl:

 openssl s_client -starttls smtp -debug -connect localhost:25

Reply | Threaded
Open this post in threaded view
|

Re: SASL configuration woes

Stephen Holmes-2
Jorey Bump wrote:

> Stephen Holmes wrote, at 10/03/2008 11:44 AM:
>  
>> Hi PostFixers,
>>
>> I'm now running postfix/dovecot/mysql in SUSE Linux Enterprise 10 SP2
>> and I wanted to secure the SMTP connections.  I've tried to follow one
>> or more tutorials, but so far to no avail.  The server is up and running
>> and Thunderbird seems to use SMTP over TLS but when I issue a telnet
>> localhost 25 I get...
>>
>> 220 mail.gallopinggreen.com NO UCE ESMTP
>> EHLO localhost
>> 250-mail.gallopinggreen.com
>> 250-PIPELINING
>> 250-SIZE 10240000
>> 250-VRFY
>> 250-ETRN
>> 250-STARTTLS
>> 250-ENHANCEDSTATUSCODES
>> 250-8BITMIME
>> 250 DSN
>>
>> I can see the STARTTLS, but not the AUTH statements.  My postconf output
>> is..
>>    
>
>  
>> smtpd_tls_auth_only = yes
>>    
>
> You've wisely configured postfix to offer AUTH only via STARTTLS, so it
> won't appear until the session is renegotiated and encrypted. telnet is
> not up to troubleshooting this task. You've confirmed with a client that
> it works, but you can also use openssl:
>
>  openssl s_client -starttls smtp -debug -connect localhost:25
>
>  
Doh!  That makes sense.  Looks good.   Thanks Jorey.  Issued the command
and now see AUTH PLAIN and AUTH=PLAIN.  I guess that's okay?  Should I
have more authentication types?

Steve.




--
s  t  e  p  h  e  n     h  o  l  m  e  s
stephen [at] gallopinggreen [dot] com

cell: +353 86 833 5027
skype: stephen.holmes
twitter: nonsequitir
web: http://www.gallopinggreen.com

Reply | Threaded
Open this post in threaded view
|

Re: SASL configuration woes

Barney Desmond
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Holmes wrote:
> Doh!  That makes sense.  Looks good.   Thanks Jorey.  Issued the command
> and now see AUTH PLAIN and AUTH=PLAIN.  I guess that's okay?  Should I
> have more authentication types?

There's no real need. Unencrypted auth is no good over a clear channel,
but adding TLS fixes that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI5kZzI3WmMwKrR4MRAjYmAJ0RuyMuX2blZwrf3jUn5mB89qdGMACeOkg6
tbWm+gh8MAFZiBYiWiEq5YA=
=QZlv
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: SASL configuration woes

Jorey Bump
In reply to this post by Stephen Holmes-2
Stephen Holmes wrote, at 10/03/2008 12:01 PM:

> Jorey Bump wrote:
>> You've wisely configured postfix to offer AUTH only via STARTTLS, so it
>> won't appear until the session is renegotiated and encrypted. telnet is
>> not up to troubleshooting this task. You've confirmed with a client that
>> it works, but you can also use openssl:
>>
>>  openssl s_client -starttls smtp -debug -connect localhost:25
>>
>>  
> Doh!  That makes sense.  Looks good.   Thanks Jorey.  Issued the command
> and now see AUTH PLAIN and AUTH=PLAIN.  I guess that's okay?  Should I
> have more authentication types?

You might want to add LOGIN, at the very least. That's usually enough to
get widespread support.

Your backend will determine if it's worth supporting more secure
mechanisms. Patrick Ben Koetter posted an excellent summary earlier
today, so I won't repeat it (search the archive for "Trouble setting up
SASL authentication with postfix").

Note that if you do add secure mechanisms that don't require encryption,
you can offer them even without TLS. In this case, you would use a
combination of settings:

smtpd_tls_auth_only = no
# Restrict mechanisms offered without TLS
smtpd_sasl_security_options = noanonymous, noplaintext
# Restrict mechanisms offered with TLS
smtpd_sasl_tls_security_options = noanonymous

If you support the mechanisms PLAIN LOGIN CRAM-MD5 DIGEST-MD5, for
example, this will only show CRAM-MD5 DIGEST-MD5 when unencrypted, but
offer all of them with STARTTLS.

Of course, this is only as secure as the mechanisms themselves, so
there's no harm in continuing to require STARTTLS for all mechanisms. I
mention it only to show the flexibility available in case you have
troublesome clients and want to remain as secure as possible.

Reply | Threaded
Open this post in threaded view
|

Re: SASL configuration woes

Stephen Holmes-2
Jorey/Barney: thanks for you help, you guys rock!


S.


Jorey Bump wrote:

> Stephen Holmes wrote, at 10/03/2008 12:01 PM:
>  
>> Jorey Bump wrote:
>>    
>>> You've wisely configured postfix to offer AUTH only via STARTTLS, so it
>>> won't appear until the session is renegotiated and encrypted. telnet is
>>> not up to troubleshooting this task. You've confirmed with a client that
>>> it works, but you can also use openssl:
>>>
>>>  openssl s_client -starttls smtp -debug -connect localhost:25
>>>
>>>  
>>>      
>> Doh!  That makes sense.  Looks good.   Thanks Jorey.  Issued the command
>> and now see AUTH PLAIN and AUTH=PLAIN.  I guess that's okay?  Should I
>> have more authentication types?
>>    
>
> You might want to add LOGIN, at the very least. That's usually enough to
> get widespread support.
>
> Your backend will determine if it's worth supporting more secure
> mechanisms. Patrick Ben Koetter posted an excellent summary earlier
> today, so I won't repeat it (search the archive for "Trouble setting up
> SASL authentication with postfix").
>
> Note that if you do add secure mechanisms that don't require encryption,
> you can offer them even without TLS. In this case, you would use a
> combination of settings:
>
> smtpd_tls_auth_only = no
> # Restrict mechanisms offered without TLS
> smtpd_sasl_security_options = noanonymous, noplaintext
> # Restrict mechanisms offered with TLS
> smtpd_sasl_tls_security_options = noanonymous
>
> If you support the mechanisms PLAIN LOGIN CRAM-MD5 DIGEST-MD5, for
> example, this will only show CRAM-MD5 DIGEST-MD5 when unencrypted, but
> offer all of them with STARTTLS.
>
> Of course, this is only as secure as the mechanisms themselves, so
> there's no harm in continuing to require STARTTLS for all mechanisms. I
> mention it only to show the flexibility available in case you have
> troublesome clients and want to remain as secure as possible.
>
>  


--
s  t  e  p  h  e  n     h  o  l  m  e  s
stephen [at] gallopinggreen [dot] com

cell: +353 86 833 5027
skype: stephen.holmes
twitter: nonsequitir
web: http://www.gallopinggreen.com