hi,
the goal: require AUTH and TLS to send email.
using these instructions:
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
postfix 2.3.3 from the RH enterprise rpm.
partial successes:
i can get tls to insert a header if i'm only using tls. (ie, tls but no auth)
i can get auth to insert a header but i lose the tls header. (auth, no tls)
i get to koetter's section 15.9 w/o incident, AFAIK.
using mutt as the client, and a canned .muttrc like so:
.muttrc
set mbox_type=mbox
set smtp_url="smtp://gl1:___...@smail.arlut.utexas.edu/"
set hostname="smail.arlut.utexas.edu"
using koetter's configs this happens:
[...@smail ~]$ mutt -s "per koetter" gl2 < /etc/motd
SMTP server does not support authentication
Could not send the message.
if i turn this off in main.cf:
#smtpd_tls_auth_only=yes
then i get auth but no tls.
telnet smail 25
Trying 10.3.16.25...
Connected to smail.arlut.utexas.edu (10.3.16.25).
Escape character is '^]'.
220 smail.arlut.utexas.edu ESMTP Postfix
EHLO arlut.utexas.edu
250-smail.arlut.utexas.edu
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN CRAM-MD5
250-AUTH=LOGIN PLAIN CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
so this is the auth but no tls situation. mutt will send
authenticated email. there's no tls header, so i assume that
means no tls.
here's my postconf -n output, trimmed of trivial things like directories
to save bandwidth.
broken_sasl_auth_clients = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/postfix/smtp_tls_session_cache
smtpd_client_restrictions = permit_sasl_authenticated,reject_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/cacert.pem
smtpd_tls_key_file = /etc/postfix/nopass_cakey.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/postfix/smtpd_tls_session_cache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
what am i doing wrong? that is, how do i force tls and auth to send
email?
thx.
j.
