SMTP Authentication without Encryption

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SMTP Authentication without Encryption

Stephan Brauss
Hi!

The SMTP server of my ISP requires authentification (user/password), but
I do not want to use SASL and SSL/TLS.
Is it possible to have a plain text/unencrypted connection but still use
authentification? - I tried with various settings in main.cf but without
success. I do not manage to get authentification without encryption.

Thanks & best regards,
Stephan
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SMTP Authentication without Encryption

Stephan Brauss
Hi!

Yes, the ISP supports auth without SSL/TLS, but how can I configure
postfix to use it? - I mean in all settings I can find, auth is always
linked to SASL SSL/TLS.

Cheers
Stephan


Am 12.07.2017 um 15:53 schrieb Gilberto Nunes:

> Hi
>
> AFAIK your isp must support auth methods other than SSL/TLS
>
> Cheers
>
>
> Obrigado
>
> Cordialmente
>
>
> Gilberto Ferreira
>
>
>     Consultor TI Linux | IaaS Proxmox, CloudStack, KVM | Zentyal Server
>     | Zimbra Mail Server
>
> *
> *
> (47) 3025-5907
> **
> (47) 99676-7530
>
> Skype: gilberto.nunes36
>
>
> konnectati.com.br <http://www.konnectati.com.br/>
>
>
> https://www.youtube.com/watch?v=dsiTPeNWcSE
>
>
>
> 2017-07-12 10:48 GMT-03:00 Stephan Brauss <[hidden email]
> <mailto:[hidden email]>>:
>
>     Hi!
>
>     The SMTP server of my ISP requires authentification (user/password),
>     but I do not want to use SASL and SSL/TLS.
>     Is it possible to have a plain text/unencrypted connection but still
>     use authentification? - I tried with various settings in main.cf
>     <http://main.cf> but without success. I do not manage to get
>     authentification without encryption.
>
>     Thanks & best regards,
>     Stephan
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SMTP Authentication without Encryption

Stephan Brauss
In reply to this post by Stephan Brauss
Hi!

 > Can you send us what conf do you use? Part of your main.cf
These are the parameters I played with:
relayhost = [smtp.hispeed.ch]:587
#relayhost = [smtp.hispeed.ch]:25
smtp_sasl_auth_enable = no
smtp_use_tls = no
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#smtp_tls_CAfile = /etc/mail/certs/cacert.pem
smtp_sasl_tls_security_options = noanonymous

The only place I found where I can place user/password is in the file
refered to by smtp_sasl_password_maps. But this is SASL related, or am I
wrong?

 > …why?  This seems like an incredibly bad idea.
sure... where from have you your certificate?

Thanks!
Stephan

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SMTP Authentication without Encryption

gilbertoferreira
Here I am using Google ( smtp.gmail.com )

relayhost = smtp.gmail.com


smtp_tls_security_level = may
smtp_tls_key_file  = /etc/postfix/sasl/postfix.pem
smtp_tls_cert_file = /etc/postfix/sasl/postfix.pem

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

In sasl_passwd I set this:

smtp.gmail.com myuser:mypassword

Do not forget to make postmap in sasl_passwd, in order to generate the sasl_passwd.db, since postfix do no read sasl_passwd itself, as you may know...






Obrigado

Cordialmente


Gilberto Ferreira

Consultor TI Linux | IaaS Proxmox, CloudStack, KVM | Zentyal Server | Zimbra Mail Server


(47) 3025-5907
(47) 99676-7530


2017-07-12 11:18 GMT-03:00 Stephan Brauss <[hidden email]>:
Hi!

> Can you send us what conf do you use? Part of your main.cf
These are the parameters I played with:
relayhost = [smtp.hispeed.ch]:587
#relayhost = [smtp.hispeed.ch]:25
smtp_sasl_auth_enable = no
smtp_use_tls = no
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#smtp_tls_CAfile = /etc/mail/certs/cacert.pem
smtp_sasl_tls_security_options = noanonymous

The only place I found where I can place user/password is in the file refered to by smtp_sasl_password_maps. But this is SASL related, or am I wrong?

> …why?  This seems like an incredibly bad idea.
sure... where from have you your certificate?

Thanks!
Stephan


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SMTP Authentication without Encryption

Viktor Dukhovni
In reply to this post by Stephan Brauss

> On Jul 12, 2017, at 9:48 AM, Stephan Brauss <[hidden email]> wrote:
>
> The SMTP server of my ISP requires authentification (user/password), but
> I do not want to use SASL and SSL/TLS.

The *protocol* used to exchange authentication credentials between SMTP
clients and SMTP servers is the SASL protocol.  Postfix uses SASL libraries
to implement the SASL protocol.

SASL can be used without TLS, but by default, the PLAIN mechanism is
restricted to TLS.  Because storing cleartext passwords on servers is
a security (and reputation for incompetence) risk, most servers only
support PLAIN, and do not support CRAM-MD5 and the like, which require
stored cleartext passwords.

You can enable PLAIN without TLS via the corresponding (non-tls) SASL
options setting, but the ISP may not support PLAIN without TLS, or if
it does so now, may improve their password security in the future and
disallow PLAIN without TLS.

Basically, you're fighting against the tools that properly do the job.
To authenticate with a username and password against a submission
service you need to use SASL and TLS.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SMTP Authentication without Encryption

gilbertoferreira
Wow! You hit the point!


Obrigado

Cordialmente


Gilberto Ferreira

Consultor TI Linux | IaaS Proxmox, CloudStack, KVM | Zentyal Server | Zimbra Mail Server


(47) 3025-5907
(47) 99676-7530


2017-07-12 11:44 GMT-03:00 Viktor Dukhovni <[hidden email]>:

> On Jul 12, 2017, at 9:48 AM, Stephan Brauss <[hidden email]> wrote:
>
> The SMTP server of my ISP requires authentification (user/password), but
> I do not want to use SASL and SSL/TLS.

The *protocol* used to exchange authentication credentials between SMTP
clients and SMTP servers is the SASL protocol.  Postfix uses SASL libraries
to implement the SASL protocol.

SASL can be used without TLS, but by default, the PLAIN mechanism is
restricted to TLS.  Because storing cleartext passwords on servers is
a security (and reputation for incompetence) risk, most servers only
support PLAIN, and do not support CRAM-MD5 and the like, which require
stored cleartext passwords.

You can enable PLAIN without TLS via the corresponding (non-tls) SASL
options setting, but the ISP may not support PLAIN without TLS, or if
it does so now, may improve their password security in the future and
disallow PLAIN without TLS.

Basically, you're fighting against the tools that properly do the job.
To authenticate with a username and password against a submission
service you need to use SASL and TLS.

--
        Viktor.


Loading...