Re: postfix almost configured but ..

Wed, 24 Sep 2008 13:29:01 -0700 

2008/9/24 mouss <[EMAIL PROTECTED]>:
> David Ballano wrote:
>>
>> Hello everybody,
>>
>>
>>
>> I have almost setup my postfix, that's what I've done.
>>
>> configured postfix with TLS SASL2 via pam (saslauthd) with virtual
>> domains  and unix accounts that's my main.cf
>>
>>
>> --------------------------------------------------------------------
>> # See /usr/share/postfix/main.cf.dist for a commented, more complete
>> version
>>
>>
>> # Debian specific:  Specifying a file name will cause the first
>> # line of that file to be used as the name.  The Debian default
>> # is /etc/mailname.
>> #myorigin = /etc/mailname
>>
>> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
>> biff = no
>>
>> # appending .domain is the MUA's job.
>> append_dot_mydomain = no
>>
>> # Uncomment the next line to generate "delayed mail" warnings
>> #delay_warning_time = 4h
>>
>> # TLS parameters
>> smtpd_tls_cert_file=/etc/ssl/certs/server.crt
>> smtpd_tls_key_file=/etc/ssl/certs/server.key
>>
>> smtpd_use_tls=yes
>> smtpd_tls_auth_only=yes
>> smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
>> smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
>>
>> # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
>> # information on enabling SSL in the smtp client.
>>
>> myhostname = orion.ballano.net
>> alias_maps = hash:/etc/aliases
>> alias_database = hash:/etc/aliases
>> #myorigin = /etc/mailname
>> mydestination = orion.ballano.net, localhost.ballano.net, localhost
>> relayhost =
>> mynetworks = 127.0.0.0/8
>> mailbox_size_limit = 0
>> recipient_delimiter = +
>> inet_interfaces = all
>>
>> home_mailbox = Maildir/
>> virtual_alias_domains = ballano.net
>> virtual_alias_maps = hash:/etc/postfix/virtual
>>
>> smtpd_sasl_path = smtpd
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_security_options = noanonymous
>> smtpd_recipient_restrictions = permit_mynetworks,
>> permit_sasl_authenticated, reject_unauth_destination
>>
>> ----------------------------------------------------------------------------------
>>
>> my virtual file:
>>
>> ---------------------------------------------------
>> cat /etc/postfix/virtual
>> [EMAIL PROTECTED] [EMAIL PROTECTED]
>> ---------------------------------------------------------
>>
>> and my smtpd.conf file
>> ----------------------------------------------------------
>> pwcheck_method: saslauthd
>> mech_list: plain login
>> ----------------------------------------------------------
>>
>>
>> I even installed courier-pop-ssl with my certificates an is working ok.
>>
>> but here is something I think is not going ok.   with this method of
>> auth  saslauth I read that only I can use plain and login mech's but
>> that's no problem because I configured tls for stmp.
>>
>> but what happens if some client don't use tls?
>
> They will not see the AUTH keyword, so they wwon't have the opportunity to
> send a login:password.
>
>> I tried, and without
>> tls can't send mail to other domains (relay acces denied), but I can
>> send mails to myself is that normal?
>
> anybody can send mail to any domain hosted on your postfix. otherwise, how
> would I send you mail? reject_unauth_destination denies relay, not inbound
> mail.
>
>> I'm a bit confused because if
>> some client don't use tls  someone can get passwords
>
> which passwords? your setup requires TLS for authentication. you can check
> that with telnet:
>
> $ telnet correo.ballano.net 25
> Trying 66.197.149.93...
> Connected to correo.ballano.net.
> Escape character is '^]'.
> 220 orion.ballano.net ESMTP Postfix (Debian/GNU)
> EHLO imlil.netoyen.net
> 250-orion.ballano.net
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> quit
> 221 2.0.0 Bye
> Connection closed by foreign host.
>
> but with TLS:
> $ openssl s_client -starttls smtp -connect correo.ballano.net:25
> ...
> EHLO imlil.netoyen.net
> 250-orion.ballano.net
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-AUTH LOGIN PLAIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> quit
> 221 2.0.0 Bye
> ...
>

ok, now  I understand, so if someone don't use TLS, my server don't
show AUTH  (like I can see above) keyword and they can't put a user
and pass.
but with tls smtp accepts AUTH
>
>
>> and send mails
>> not outside but inside.
>>
>> is there a solution for that?,
>
> There is no problem.
>
>> maybe telling postfix always to use
>> tls, and if client not use tls reject the email, how?
>
> you want to get mail from the public internet or is this a private mail
> server? if this is a public server, you can't require TLS.

is a public server, I mean  I get mails from internet, and people can
use it from outside.
so tls is required, isn't

>
>>
>> thank you guys, I'm learning a lot with your help.
>> David.
>>
>> PD: here is my postconf -n by the way...
>>
>> orion:~# postconf -n
>> alias_database = hash:/etc/aliases
>> alias_maps = hash:/etc/aliases
>> append_dot_mydomain = no
>> biff = no
>> config_directory = /etc/postfix
>> home_mailbox = Maildir/
>> inet_interfaces = all
>> mailbox_size_limit = 0
>> mydestination = orion.ballano.net, localhost.ballano.net, localhost
>> myhostname = orion.ballano.net
>> mynetworks = 127.0.0.0/8
>> recipient_delimiter = +
>> relayhost =
>> smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
>> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
>> smtpd_recipient_restrictions = permit_mynetworks,
>> permit_sasl_authenticated, reject_unauth_destination
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_path = smtpd
>> smtpd_sasl_security_options = noanonymous
>> smtpd_tls_auth_only = yes
>> smtpd_tls_cert_file = /etc/ssl/certs/server.crt
>> smtpd_tls_key_file = /etc/ssl/certs/server.key
>> smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
>> smtpd_use_tls = yes
>> virtual_alias_domains = ballano.net
>> virtual_alias_maps = hash:/etc/postfix/virtual
>
>

Reply via email to