David Ballano wrote:
Hello everybody,
I have almost setup my postfix, that's what I've done.
configured postfix with TLS SASL2 via pam (saslauthd) with virtual
domains and unix accounts that's my main.cf
--------------------------------------------------------------------
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/server.crt
smtpd_tls_key_file=/etc/ssl/certs/server.key
smtpd_use_tls=yes
smtpd_tls_auth_only=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = orion.ballano.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#myorigin = /etc/mailname
mydestination = orion.ballano.net, localhost.ballano.net, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
virtual_alias_domains = ballano.net
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
----------------------------------------------------------------------------------
my virtual file:
---------------------------------------------------
cat /etc/postfix/virtual
[EMAIL PROTECTED] [EMAIL PROTECTED]
---------------------------------------------------------
and my smtpd.conf file
----------------------------------------------------------
pwcheck_method: saslauthd
mech_list: plain login
----------------------------------------------------------
I even installed courier-pop-ssl with my certificates an is working ok.
but here is something I think is not going ok. with this method of
auth saslauth I read that only I can use plain and login mech's but
that's no problem because I configured tls for stmp.
but what happens if some client don't use tls?
They will not see the AUTH keyword, so they wwon't have the opportunity
to send a login:password.
I tried, and without
tls can't send mail to other domains (relay acces denied), but I can
send mails to myself is that normal?
anybody can send mail to any domain hosted on your postfix. otherwise,
how would I send you mail? reject_unauth_destination denies relay, not
inbound mail.
I'm a bit confused because if
some client don't use tls someone can get passwords
which passwords? your setup requires TLS for authentication. you can
check that with telnet:
$ telnet correo.ballano.net 25
Trying 66.197.149.93...
Connected to correo.ballano.net.
Escape character is '^]'.
220 orion.ballano.net ESMTP Postfix (Debian/GNU)
EHLO imlil.netoyen.net
250-orion.ballano.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
but with TLS:
$ openssl s_client -starttls smtp -connect correo.ballano.net:25
...
EHLO imlil.netoyen.net
250-orion.ballano.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
...
and send mails
not outside but inside.
is there a solution for that?,
There is no problem.
maybe telling postfix always to use
tls, and if client not use tls reject the email, how?
you want to get mail from the public internet or is this a private mail
server? if this is a public server, you can't require TLS.
thank you guys, I'm learning a lot with your help.
David.
PD: here is my postconf -n by the way...
orion:~# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_size_limit = 0
mydestination = orion.ballano.net, localhost.ballano.net, localhost
myhostname = orion.ballano.net
mynetworks = 127.0.0.0/8
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/certs/server.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_domains = ballano.net
virtual_alias_maps = hash:/etc/postfix/virtual
