HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   exclude localhost from postfix sasl, tls (http://www.howtoforge.com/forums/showthread.php?t=57931)

sygram 14th July 2012 09:10

exclude localhost from postfix sasl, tls
 
Hi there,

due to pci dss check i am trying to allow only secure connections to postfix and exclude sslv2. I've added the following lines to main.cf

smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium, high
smtpd_tls_auth_only = yes
smtpd_tls_security_level = encrypt

and now as far as i can see it accepts only TLS connections. Unfortunately i can not connect simply from localhost to 25 and various web apps that do not authenticate locally can not send emails.

So my questions are :

1) how do i allow unencrypted and anonymous connections from localhost (as before)
2) how do instruct dovecot to use encrypted passwords ?

Thank you in advance.

Regards,

Leon

sygram 16th July 2012 13:09

Hi there,

only if i change smtpd_tls_security_level = encrypt to "may" i can send email from localhost as tls is not mandatory in this case.

I am not sure how to auto authorize localhost to sasl. This is what maillog prints :

Jul 16 14:01:56 server postfix/smtpd[7778]: connect from server[127.0.0.1]
Jul 16 14:01:56 server postfix/smtpd[7778]: lost connection after EHLO from server [127.0.0.1]
Jul 16 14:01:56 server postfix/smtpd[7778]: disconnect from server[127.0.0.1]

i tried to add smtpd_sasl_exceptions_networks = $mynetworks where mynetworks = 127.0.0.0/8 but nothing

Any ideas ?

sygram 28th July 2012 12:17

any assistance will be appreciated.

createch 30th July 2012 03:31

Did you try to use sendmail thru another port , e.g. 1025 (instead of using postix on port 25) to send out the email from localhost ? What is the result ?

sygram 30th July 2012 12:13

Hi createch,

i appreciate your reply.

I actually managed to find a solution that i am posting to save a lot of time for anyone else having the same issue.

the solution is to change the file master.cf :

submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_mynetworks,permit _sasl_authenticated,reject
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_mynetworks,permit _sasl_authenticated,reject

enable submission and smtps and added permit_mynetworks accordingly. Now i use ssl over port 465.

Everything safe and secure.

Regards


All times are GMT +2. The time now is 17:29.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.