Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 10th April 2012, 23:02
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 392
Thanks: 29
Thanked 58 Times in 50 Posts
Default How to FORCE secure authentication (over SSL or TLS) with Postfix

Hello,

I am interested in forcing encrypted authentication with Postfix.

I am aware that in some countries, public ISPs and the like are forbidden from requiring encryption where email systems are concerned. I am also aware that this practice is discouraged in certain circles.

According to the Postfix documentation ( http://www.postfix.org/TLS_README.html#server_tls_auth ), it may be useful to employ the following combination of directives. The idea is that authentication mechanisms will still be announced to older clients, and even though they won't be able to authenticate, they will receive some kind of error message. (The helpfulness of that error message is another issue altogether, as will become apparent.)

Code:
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
With this configuration, attempts to send mail are rejected, with a message like the following:

Code:
An error occurred while sending mail. The mail server responded:  5.7.1 <your-hostname.your-isp.com[XXX.XXX.XXX.XXX]>: Client host rejected: Access denied. Please check the message recipient user@example.com and try again.
Additionally, my email client (Thunderbird) displays something like this:

Code:
Sending of message failed.
The message could not be sent because the connection to SMTP server example.com was lost in the middle of the transaction. Try again or contact your network administrator.
If I enable STARTTLS for the SMTP connection, I am able to send mail without issue.

So far, all is well, and these are the expected results.

If I change the security level to "encrypt", the results when attempting to connect over an unencrypted connection are slightly different:

Code:
smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes
Code:
An error occurred while sending mail. The mail server responded:  5.7.0 Must issue a STARTTLS command first.  Please verify that your email address is correct in your Mail preferences and try again.
This message is much more useful to clients that understand how to receive it, which I appreciate.

However, when I enable STARTTLS for the SMTP connection, mail is sent without issue, but it is always returned with the following message attached:

Code:
<user@example.com>: host 127.0.0.1[127.0.0.1] said: 530 5.7.0 Failed,
    id=01520-12, from MTA([127.0.0.1]:10025): 530 5.7.0 Must issue a STARTTLS
    command first (in reply to end of DATA command)
Is this because the local, internal connection between Postfix and Amavis is also requiring encryption, given these directives? If so, is there a simple means by which to exempt local connections from this requirement?

The fact that the first method works without issue seems to indicate that the "smtpd_tls_auth_only = yes" directive is ignored for local connections.

I am okay with using the first set of directives, but I would like to understand why the second does not work.

Thanks for any help!
Reply With Quote
Sponsored Links
  #2  
Old 11th April 2012, 07:40
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,419
Thanks: 834
Thanked 5,499 Times in 4,328 Posts
Default

You have to set:

smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes

as options for the outgoing connections in master.cf only and not the internal connections to the spam scanner by adding it to main.cf.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 11th April 2012, 15:39
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 392
Thanks: 29
Thanked 58 Times in 50 Posts
Default

Thanks, Till. That makes sense.

However, when I try to add those directives to master.cf, Postfix complains about a syntax error:

Code:
fatal: /etc/postfix/master.cf: line 136: bad transport type: =
in response to this line:

Code:
smtpd_tls_security_level = encrypt
It seems that master.cf requires a different syntax than main.cf.

Any thoughts on this?

Thanks again!
Reply With Quote
  #4  
Old 11th April 2012, 15:43
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,419
Thanks: 834
Thanked 5,499 Times in 4,328 Posts
Default

There should be a line like this:

Code:
smtp      inet  n       -       -       -       -       smtpd
add the setting right below that line, so it looks like this:

Code:
smtp      inet  n       -       -       -       -       smtpd
  -o smtpd_enforce_tls=yes
and then restart postfix.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
cbj4074 (11th April 2012)
  #5  
Old 11th April 2012, 20:05
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 392
Thanks: 29
Thanked 58 Times in 50 Posts
 
Default

Beautiful; works as expected. Thanks, Till!

While I'm thinking of it, do you know of any way to specify these types of directives as "user-level" configuration options for Postfix?

The reason I ask is http://bugtracker.ispconfig.org/inde...s&task_id=1970 . I am trying to move my custom configuration options outside of ISPConfig's reach, so that reconfiguring services during upgrades poses no risk.

Thanks again.
Reply With Quote
Reply

Bookmarks

Tags
authentication, force, postfix, sasl, tls

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
strange fail2ban behaviour > doesn't ban specific IP Djamu Server Operation 2 13th January 2012 02:29
Postfix/courier/Centos 6 cant send email to external email servers maxtorzito Installation/Configuration 14 7th October 2011 10:56
Postfix SMTP Auth to Dovecot Not Working -- HELP! Scratchpad Server Operation 6 12th April 2011 13:29
Email problem 'Cannot set my user or group id.' (using ISPConfig 3 + OpenSuSE 11.2) urosm Installation/Configuration 5 19th June 2010 22:41
421 Unexpected failure Lizard King Installation/Configuration 20 7th July 2009 20:43


All times are GMT +2. The time now is 19:14.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.