Am Tuesday 13 October 2009 15:52:32 schrieb Simon Wilson: > Now my wife has just got a Nokia E51. When it tries to send using SMTP > to the same port 587, it tries to use CRAM-MD5, and the send fails: > > Oct 13 23:35:37 server04 postfix/smtpd[988]: setting up TLS connection > from unknown[58.171.251.169] > Oct 13 23:35:38 server04 postfix/smtpd[988]: TLS connection > established from unknown[58.171.251.169]: TLSv1 with cipher AES256-SHA > (256/256 bits) > Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL > authentication problem: unable to open Berkeley db /etc/sasldb2: > Permission denied > Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL > authentication problem: unable to open Berkeley db /etc/sasldb2: > Permission denied > Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL > authentication failure: no secret in database > Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: > unknown[58.171.251.169]: SASL CRAM-MD5 authentication failed: > authentication failure > > It establishes the TLS fine, but then tries to use sasldb2 instead of > saslauthd which is configured to go to LDAP. There is nothing IN > sasldb2, no secrets etc as it says - it's not supposed to be using it.
Well, if you did not setup LDAP to store passwords in plaintext format (which you probably don't want to), it will not work with CRAM-MD5, that's just the way it is. But anyway, if you use TLS/SSL passwords are sumitted over an encrypted connection, so submitting plaintext passwords should not be a big security issue here. > One thing I note is that "telnet mail.simonandkate.net 587" does not > return AUTH in the list offered: > > 220 mail.simonandkate.net ESMTP Postfix > EHLO simon.whatever > 250-mail.simonandkate.net > 250-PIPELINING > 250-SIZE 26214400 > 250-ETRN > 250-STARTTLS > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > Postconf -n: [...] > smtpd_sasl_auth_enable = yes > smtpd_tls_auth_only = yes [...] That's the way you configured postfix. It shall only give AUTH *after* STARTTLS (or over an SSL connection). That's just fine. I would propose (am I allowed to?), to configure your wifes phone to use TLS, and AUTH PLAIN. -- MfG Jan
signature.asc
Description: This is a digitally signed message part.
