Greetings, I have recently upgraded from a homebrewn Postfix 2.4 or 2.5 /experimental/ package to openSUSE 11.0's official package, which is based on postfix-2.5.1.
smtp_sasl_tls_verified_security_options apparently stopped working after the upgrade. Am I missing something in my configuration? Is there something WRT this option that did not make it into Postfix 2.5 official? It is documented in smtp(8)... I checked postfix-2.5-patch02.gz and ...03.gz so see if relevant fixes appeared in HISTORY; but apparently they did not, so I think 2.5.3 will behave the same. tls_policy contains (+ postmap ran): [mail.uni-paderborn.de]:25 secure match=nexthop sender_dependent_relayhost_maps contains (+ postmap ran): [EMAIL PROTECTED] [mail.uni-paderborn.de]:25 Fiddling with tls_policy (for instance, trying verify or not listing the site at all, but with old-style 2.2 smtp_tls_enable=yes) was to no avail (except I sometimes got "Trusted TLS connection established", but still "no mechanism available"). Host and authentication selection work properly, STARTTLS works properly, however Postfix doesn't appear to use smtp_sasl_tls_verified_security_options (note I set this option to "noanonymous", the server - Exim 4.mumble - offers AUTH LOGIN PLAIN GSSAPI): Logs: Jul 29 13:57:45 merlin postfix/smtp[720]: setting up TLS connection to mail.uni-paderborn.de[131.234.142.9]:25 Jul 29 13:57:45 merlin postfix/smtp[720]: Verified TLS connection established to mail.uni-paderborn.de[131.234.142.9]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Jul 29 13:57:45 merlin postfix/smtp[720]: warning: SASL authentication failure: No worthy mechs found Jul 29 13:57:45 merlin postfix/smtp[720]: 2CD8D200B75: to=<[EMAIL PROTECTED]>, relay=mail.uni-paderborn.de[131.234.142.9]:25, delay=58788, delays=58786/0.17/1/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server mail.uni-paderborn.de[131.234.142.9]: no mechanism available) If I set smtp_sasl_tls_security_options instead of smtp_sasl_tls_verified_security_options, it starts working: Jul 29 14:00:11 merlin postfix/smtp[879]: setting up TLS connection to mail.uni-paderborn.de[131.234.142.9]:25 Jul 29 14:00:11 merlin postfix/smtp[879]: Verified TLS connection established to mail.uni-paderborn.de[131.234.142.9]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Jul 29 14:00:14 merlin postfix/smtp[879]: 2CD8D200B75: to=<[EMAIL PROTECTED]>, relay=mail.uni-paderborn.de[131.234.142.9]:25, delay=58936, delays=58933/0.14/0.96/2.1, dsn=2.0.0, status=sent (250 OK id=1KNnsD-0007ln-55) This is the "offending" configuration (postconf -n): alias_database = hash:/etc/postfix/aliases alias_maps = $alias_database allow_min_user = yes body_checks = pcre:/etc/postfix/body_checks command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[localhost]:10024 daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_list = default_transport = hold defer_transports = hash_queue_names = defer deferred header_checks = pcre:/etc/postfix/header_checks html_directory = /usr/share/doc/packages/postfix/html local_recipient_maps = proxy:unix:passwd.byname $alias_maps mail_owner = postfix mailbox_command = /usr/bin/maildrop -d "$USER" -f "$SENDER" "$EXTENSION" mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 16777216 mydestination = $myhostname, localhost.$mydomain, -removed-.dyndns.org myhostname = -removed- mynetworks = 127.0.0.0/8 [::1]/128 192.168.0.0/24 192.168.1.0/24 [fec0::]/64 [fe80::]/64 newaliases_path = /usr/bin/newaliases notify_classes = resource,software,2bounce queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix/README_FILES recipient_canonical_maps = hash:/etc/postfix/recipient_canonical recipient_delimiter = + relayhost = -removed- sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay sendmail_path = /usr/sbin/sendmail setgid_group = maildrop show_user_unknown_table_name = no smtp_helo_name = -removed-.dyndns.org smtp_sasl_auth_enable = yes smtp_sasl_mechanism_filter = !gssapi, !external, static:all smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_tls_verified_security_options = noanonymous smtp_sender_dependent_authentication = yes smtp_tls_CApath = /etc/ssl/certs smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_tls_session_cache_database = btree:$data_directory/smtp_scache smtp_tls_session_cache_timeout = 3600s smtpd_authorized_xforward_hosts = 127.0.0.1 smtpd_recipient_restrictions = reject_unlisted_recipient permit_mynetworks reject_unauth_destination smtpd_sasl_path = smtpd smtpd_sender_restrictions = reject_unlisted_sender hash:/etc/postfix/access reject_unknown_sender_domain soft_bounce = yes transport_maps = hash:/etc/postfix/transport unknown_address_reject_code = 550 unverified_recipient_reject_code = 550 -- Matthias Andree
