Re: SASL fine from iPhone, not from Nokia?

Tue, 13 Oct 2009 07:08:34 -0700 

2009/10/14 Eero Volotinen <eero.voloti...@iki.fi>:
> Because of:
>
> smtpd_tls_auth_only (default: no)
> When TLS encryption is optional in the Postfix SMTP server, do not announce
> or accept SASL authentication over unencrypted connections.
>
> This feature is available in Postfix 2.2 and later.
>
> you need to use openssl s_client -connect mailserver:port to get the auth
> advertising, so pure telnet is not encrypted connection.
>
> Make sure that nokia is really using encryption (tls)

To expand on what Eero said, Postfix won't advertise AUTH unless the
connection is tunneled through TLS - it's because you have
"smtpd_tls_auth_only = yes".

Here's how I've tested your server, it looks as you'd expect once you
make a TLS connection. As for the use of CRAM-MD5, see Patrick's
notes.


furin...@shirayuki:~$ openssl s_client -connect
mail.simonandkate.net:587 -starttls smtp
CONNECTED(00000003)
depth=1 
/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=ca.simonandkate.net/emailaddress=ser...@simonandkate.net
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 
s:/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=*.simonandkate.net/emailaddress=ser...@simonandkate.net
   
i:/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=ca.simonandkate.net/emailaddress=ser...@simonandkate.net
 1 
s:/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=ca.simonandkate.net/emailaddress=ser...@simonandkate.net
   
i:/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=ca.simonandkate.net/emailaddress=ser...@simonandkate.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPDCCAqWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMCQVUx
<trimmed>
-----END CERTIFICATE-----
subject=/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=*.simonandkate.net/emailaddress=ser...@simonandkate.net
issuer=/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=ca.simonandkate.net/emailaddress=ser...@simonandkate.net
---
No client certificate CA names sent
---
SSL handshake has read 2594 bytes and written 351 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 565F11F92AC11E91E1F356668B37675E03B3D2F929C5A83BA33183E8DA915308
    Session-ID-ctx:
    Master-Key:
F0BF9E73B3880277076D5005E34B81CC9420B05A1A9B4CB5C0EECB0C8794F60E927053F77D20F0F680C72243F0FD778C
    Key-Arg   : None
    Start Time: 1255442651
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
250 DSN
EHLO shirayuki
250-mail.simonandkate.net
250-PIPELINING
250-SIZE 26214400
250-ETRN
250-AUTH CRAM-MD5 LOGIN PLAIN
250-AUTH=CRAM-MD5 LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
QUIT
DONE

Reply via email to