question about auth, smtpd and roundcube

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

question about auth, smtpd and roundcube

Felix Rubio Dalmau
Hi all,

        I have set up a postfix+dovecot+roundcube installation. Currently, I have
set up these smtpd parameters:

        smtpd_tls_security_level = may
        smtpd_tls_auth_only = yes
        smtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/discard_ehlo

        inside discard_helo, I have set "127.0.0.1 starttls,silent-discard" to
allow roundcube connecting without TLS.

        With this setup, roundcoube can't connect because it is not on a TLS
connection. If I set up roundcube to use TLS and comment
smtpd_discard_ehlo_keyword_address_maps, everything goes fine.

        The question is: how can I allow smtpd_tls_auth_only only on non-local
connections?

        Thank you!

        Felix
Reply | Threaded
Open this post in threaded view
|

Re: question about auth, smtpd and roundcube

btb-2
On 2013.06.20 04.51, Felix Rubio Dalmau wrote:

> Hi all,
>
> I have set up a postfix+dovecot+roundcube installation. Currently, I have
> set up these smtpd parameters:
>
> smtpd_tls_security_level = may
> smtpd_tls_auth_only = yes
> smtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/discard_ehlo
>
> inside discard_helo, I have set "127.0.0.1 starttls,silent-discard" to
> allow roundcube connecting without TLS.
>
> With this setup, roundcoube can't connect because it is not on a TLS
> connection. If I set up roundcube to use TLS and comment
> smtpd_discard_ehlo_keyword_address_maps, everything goes fine.
>
> The question is: how can I allow smtpd_tls_auth_only only on non-local
> connections?

this is overcomplicated.  set up a proper submission service [587] which
requires encryption and authentication.  configure smtp service [25] to
offer [but not require] encryption and to not offer auth.  configure
roundcube to use submission+encryption+smtp auth, just like any other
mail client.

-ben

Reply | Threaded
Open this post in threaded view
|

Re: question about auth, smtpd and roundcube

/dev/rob0
In reply to this post by Felix Rubio Dalmau
On Thu, Jun 20, 2013 at 10:51:28AM +0200, Felix Rubio Dalmau wrote:

> I have set up a postfix+dovecot+roundcube installation. Currently,
> I have set up these smtpd parameters:
>
> smtpd_tls_security_level = may
> smtpd_tls_auth_only = yes
> smtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/discard_ehlo
>
> inside discard_helo, I have set "127.0.0.1 starttls,silent-discard"
> to allow roundcube connecting without TLS.
>
> With this setup, roundcoube can't connect because it is not on a
> TLS connection. If I set up roundcube to use TLS and comment
> smtpd_discard_ehlo_keyword_address_maps, everything goes fine.
>
> The question is: how can I allow smtpd_tls_auth_only only on
> non-local connections?

Like Ben, I think you are solving a non-problem here. While TLS on
localhost provides no benefit, how much is the gain from turning it
off? On the Dovecot side it's simpler because Dovecot considers
loopback secure (and it probably offers more actual benefit because
IMAP connections are persistent.)

Anyway, if you do choose to pursue this, there are many options. I
think the easiest would be to make a separate smtpd instance with
overrides as needed:

[ master.cf ]
...
127.0.0.1:10587 inet n - n - smtpd
        -o smtpd_tls_security_level=none
        -o smtpd_tls_auth_only=no
        -o syslog_name=postfix/roundcube
        [ with other overrides from your submission service ]

Then configure Roundcube to connect to 127.0.0.1:10587 for sending.
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: question about auth, smtpd and roundcube

btb-2
In reply to this post by Felix Rubio Dalmau
On Jun 21, 2013, at 03.50, Felix Rubio Dalmau <[hidden email]> wrote:

> Sorry for disturbing you, Ben
>
> Thank you for your answer, but there is one point I don't fully get: If I
> set up an smtp [25] to offer encryption without auth, a submission [587] to
> require encryption and auth, and I want roundcube to access the mail server
> with auth but without encryption.... I am stuck at the same point, right?
>
> Finally, I have configured smtp [25] to offer encryption, and auth only
> under tls. I have also set up a submission [587] without encryption, requiring
> auth, for roundcube. Finally I have closed port 587 using iptables, so can be
> used only through the loopback interface.

let's please keep the discussion on the list, so others may participate.

the key here is the "I want roundcube to access the mail server with auth but without encryption".  why bother?  roundcube happily performs encryption just fine, it hurts nothing to do it, and it obviates the need for unnecessary special treatment.

you should not be offering auth on port 25, encryption or not.  we don't need to get into all of the corner cases or special use cases, but far and away, for the average environment, auth is for clients, and clients are to use port submission/587.  if you're using submission/587 for roundcube only [as you seem to indicate], then why go to all of the trouble to intentionally disable encryption when it works just fine?

-ben
Reply | Threaded
Open this post in threaded view
|

Re: question about auth, smtpd and roundcube

Felix Rubio Dalmau
The underlying reason is that I am using a very small machine (and AMD-350),
which I have set-up to be fanless., and which is running, appart from the mail
server for my family, a couple of webservers, owncloud' instances, etc. So, I
thought that I could free it from some work by disabling the encryption in the
roundcube.

Regards!

Felix


On Friday 21 June 2013 22:17:49 [hidden email] wrote:
> On Jun 21, 2013, at 03.50, Felix Rubio Dalmau <[hidden email]>
wrote:
> > Sorry for disturbing you, Ben
> >
> > Thank you for your answer, but there is one point I don't fully get:
If I

> >
> > set up an smtp [25] to offer encryption without auth, a submission [587]
> > to
> > require encryption and auth, and I want roundcube to access the mail
> > server
> > with auth but without encryption.... I am stuck at the same point, right?
> >
> > Finally, I have configured smtp [25] to offer encryption, and auth only
> >
> > under tls. I have also set up a submission [587] without encryption,
> > requiring auth, for roundcube. Finally I have closed port 587 using
> > iptables, so can be used only through the loopback interface.
>
> let's please keep the discussion on the list, so others may participate.
>
> the key here is the "I want roundcube to access the mail server with auth
> but without encryption".  why bother?  roundcube happily performs
> encryption just fine, it hurts nothing to do it, and it obviates the need
> for unnecessary special treatment.
>
> you should not be offering auth on port 25, encryption or not.  we don't
> need to get into all of the corner cases or special use cases, but far and
> away, for the average environment, auth is for clients, and clients are to
> use port submission/587.  if you're using submission/587 for roundcube only
> [as you seem to indicate], then why go to all of the trouble to
> intentionally disable encryption when it works just fine?
>
> -ben