* Jay G. Scott <g...@arlut.utexas.edu>: > the goal: require AUTH and TLS to send email. > using these instructions: > http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html > > postfix 2.3.3 from the RH enterprise rpm. > > partial successes: > i can get tls to insert a header if i'm only using tls. (ie, tls but no auth) > i can get auth to insert a header but i lose the tls header. (auth, no tls) > > i get to koetter's section 15.9 w/o incident, AFAIK. > > using mutt as the client, and a canned .muttrc like so: > > .muttrc > set mbox_type=mbox > set smtp_url="smtp://gl1:___...@smail.arlut.utexas.edu/" > set hostname="smail.arlut.utexas.edu"
mutt is a great client but not the tool you should use to debug this. > using koetter's configs this happens: > [...@smail ~]$ mutt -s "per koetter" gl2 < /etc/motd > SMTP server does not support authentication > Could not send the message. > > if i turn this off in main.cf: > #smtpd_tls_auth_only=yes turn it back on in main.cf: smtpd_tls_auth_only=yes Then do this on the command line: $ openssl s_client -starttls smtp -CApath /etc/postfix/cacert.pem -connect smail.arlut.utexas.edu:25 OpenSSL should start a TLS session with the Postfix server running at smail.arlut.utexas.edu. Then send this: EHLO arlut.utexas.edu You should get a list of ESMTP capabilities your Postfix installation supports. Among them should be a line offering "AUTH ...". If you get that everything is fine, except that mutt isn't configured correctly yet to use TLS and SMTP AUTH. p...@rick (koetter) > then i get auth but no tls. > > telnet smail 25 > Trying 10.3.16.25... > Connected to smail.arlut.utexas.edu (10.3.16.25). > Escape character is '^]'. > 220 smail.arlut.utexas.edu ESMTP Postfix > EHLO arlut.utexas.edu > 250-smail.arlut.utexas.edu > 250-PIPELINING > 250-SIZE 10240000 > 250-VRFY > 250-ETRN > 250-STARTTLS > 250-AUTH LOGIN PLAIN CRAM-MD5 > 250-AUTH=LOGIN PLAIN CRAM-MD5 > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > quit > > so this is the auth but no tls situation. mutt will send > authenticated email. there's no tls header, so i assume that > means no tls. > > here's my postconf -n output, trimmed of trivial things like directories > to save bandwidth. > > broken_sasl_auth_clients = yes > smtp_sasl_auth_enable = yes > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > smtp_sasl_type = cyrus > smtp_tls_CAfile = /etc/postfix/cacert.pem > smtp_tls_loglevel = 1 > smtp_tls_security_level = may > smtp_tls_session_cache_database = btree:/var/postfix/smtp_tls_session_cache > smtpd_client_restrictions = > permit_sasl_authenticated,reject_unauth_destination > smtpd_recipient_restrictions = permit_sasl_authenticated, > reject_unauth_destination > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_sasl_local_domain = $myhostname > smtpd_sasl_security_options = noanonymous > smtpd_sasl_tls_security_options = noanonymous > smtpd_sasl_type = cyrus > smtpd_tls_CAfile = /etc/postfix/cacert.pem > smtpd_tls_cert_file = /etc/postfix/cacert.pem > smtpd_tls_key_file = /etc/postfix/nopass_cakey.pem > smtpd_tls_loglevel = 3 > smtpd_tls_received_header = yes > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = btree:/var/postfix/smtpd_tls_session_cache > smtpd_tls_session_cache_timeout = 3600s > smtpd_use_tls = yes > tls_random_source = dev:/dev/urandom > > what am i doing wrong? that is, how do i force tls and auth to send > email? > > thx. > > j. -- All technical answers asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
