On Wed, March 24, 2010 5:32 am, Victor Duchovni wrote:
> Disable SASL authentication for un-encrypted connections.
> Don't confuse SASL authentication (username/password typicall to verify
> submission access rights) with session encryption (prevent passive wiretap
> of session).
> SASL and SSL are not the same thing.
Viktor,
I'm trying to review my own SMTP AUTH setup that I've been using since a
while back, could you pls have a look if I missing something important:
postfix 2.4.5
# postconf -n | grep sasl
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, check_client_access hash:/etc/postfix/pop-before-smtp,
reject_unauth_destination, check_recipient_access
hash:/etc/postfix/recipient_no_checks, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname, reject_unlisted_recipient,
check_sender_access hash:/etc/postfix/freemail_access,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net, reject_rhsbl_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_sender
dsn.rfc-ignorant.org, reject_rbl_client psbl.surriel.com,
check_policy_service inet:127.0.0.1:10031, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
# postconf -n | grep tls
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database =
btree:/var/spool/postfix/smtp_tls_session_cache
smtp_tls_session_cache_timeout = 3600s
smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.crt
smtpd_tls_key_file = /etc/postfix/tls/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/spool/postfix/smtpd_tls_session_cache
smtpd_tls_session_cache_timeout = 36000s
tls_random_source = dev:/dev/urandom
in master.cf
submission inet n - n - - smtpd
-o smtpd_tls_security_levels=encrypt -o smtpd_sasl_auth_enable=yes
thanks
--
Voytek
